Search This Blog

Showing posts with label Stored XSS Vulnerability. Show all posts

WordPress patches Stored XSS bug, Many versions affected

(PC- google images)
WordPress has issued a critical security update - WordPress Security Release 4.2.1, announced in an advisory by consultant Gary Pendergast, after millions of websites were at risk of a bug that allows attackers to take control of a system.

Pendergast read, “A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenter to compromise a site”. He added, "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those."

Discovered by Jouko Pynnönen of Finnish security company Klikki ; the critical, unpatched zero-day vulnerability, affecting WordPress’ comment mechanisms, is a stored cross-scripting (XSS) bug that allows a hacker to take over an entire website running the WordPress platform.

In a blog post, Klikki explained that if triggered by a logged-in administrator, under default settings, the attacker can leverage the vulnerability to execute arbitrary code on the server via the plug-in and theme editors. Alternately the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

The vulnerability is exploited by injecting JavaScript in the WordPress comment section, and then adding 64Kb of the text.

"If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64kilobytes, so the comment has to be long”, Pynnönen said.

 "The truncation results in malformed HTML generated on the page.The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core”, added he. 

WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected.

Similar to the one reported by Cedric Van Bockhaven in 2014, the only difference in this version is the use of excessively long comment for the same effect.  In both the cases, the injected JavaScript can’t be triggered in the administrative Dashboard so these exploits require getting around comment moderation e.g. by posting one harmless comment first.

Vulnerabilities in RunKeeper website could allow hackers to run XSS worm

A security researcher David Sopas has discovered a Cross site scripting and Cross Site Request Forgery(CSRF) vulnerabilities in the RunKeeper website, official site of popular GPS fitness-tracking application.

The POST request in the "Account Setting" page failed to use security token to validate the request results in CSRF vulnerability.  It could allowed cybercriminals to modify information of an authenticated user by tricking them into clicking a crafted link that will send a malicious request.

The Persistent XSS vulnerability on user Account Settings and on the profile page poses a potential security risk.  The cybercriminals could have launched a malicious cyber attack and infect millions of users.

Creating Hybrid attack that take advantage of XSS and CSRF vulnerabilities results in hijacking user profile. Hackers also could have modified POC little bit and run an XSS worm.

Runkeeper fixed these security issues immediately after got a notification from Sopas.

Sharecash vulnerable to Persistent Cross Site Scripting vulnerability

Security Researcher, Rafay Baloch, the founder of Rafay Hacking Articles,  has discovered a Cross Site scripting (XSS) Vulnerability in ShareCash website( ShareCash is the highest paying Pay-Per-Download network around.

The vulnerability affects the  "Manage Widget" page of ShareCash.  The XSS vulnerability found to be stored one.

Stored XSS Vulnerability

Stored XSS is critical one since the script is being stored on the server and is being executed every time user visits the affected page.

In an Email Sent to EHN, Researcher provided the screenshot of the Proof-of-concept.  From the POC, I come to know that the "Widget Name" is vulnerable to xss attack.  It seems like the developer fails to validate the input.

Rafay claimed that he sent more than 10 emails to share cash to notify them about the vulnerability, but they failed to respond.

Stored XSS vulnerability in Tumblr can be used for Phishing and Malware attack

tumblr stored xss

Recently we reported that the reason behind the Tumblr reblog attack is Stored cross Site scripting(XSS) vulnerability. The vulnerability was discovered by a security researcher Janne Ahlberg. Janne says the vulnerability is not yet fixed.

According to his research, It is possible to embed JavaScript and some other HTML tags to certain Tumblr post types (e.g. video post).

The vulnerability can be used for launching phishing attacks.  For instance,it would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Attacker could push malicious files from his/her server to Tumblr users.

"Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts."Researcher described one possible attack scenario.

"Once the 'attack blog' would have enough followers, attacker could create a malicious post again with carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start."

Tumblr worm spread due to unfixed Stored XSS vulnerability

tumblr worm xss

The day after Tumblr was hit by a "worm" that left many Tumblr websites defaced with an identical message by Internet troll group GNAA, a security researcher has confirmed there is Stored Cross site scripting vulnerability in Tumblr that allowed attackers to hack Tumblr.

According to Naked Security report, the worm appears to took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.

If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page.

According to some news report, the hackers behind the attack has warned Tumblr weeks ago about a vulnerability. But there is no response from Tumblr.

Tumblr XSS hack
Janne Ahlberg confirmed XSS vulnerability

"I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid." Security researcher Janne Ahlberg confirmed the xss flaw in his blog post.

"A new Tumblr worm could still be possible. See analysis by @JanneFI: … Good example on how XSS vulns are not harmless." Mikko Hyppönen, CRO at F-Secure tweet reads.

*Update* Tumblr is still vulnerable to stored-XSS Read the updated post here