XSS and Uncontrolled redirect Vulns in Encrypted Blog Plugin for Wordpress

# Date: 28 August 2013
# Author: k3170makan
# Vendor or Software Link: http://wordpress.org/plugins/encrypted-blog/
# Version:
# Category: webapps
# Tested on: N/A

The Encrypted Blog Plug-in for Wordpress suffers from multiple vulnerabilities exposing authenticated wordpress users to Cross Site Scripting attacks and Uncontrolled redirects and via a combination of these vulnerabilities a leakage of the Encryption key set by the wordpress user for this plugin.

Cross Site Scripting:
The contents of the redirect_to field in the encrypt_blog_form.php, which is supplied via GET method is not sanitized and allows attackers to submit malicious HTML/JavaScript and other client side browser scripting content.
Here's the code:
13 <form name="loginform" id="loginform" action="<?php
14 if( isset( $_GET['redirect_to'] ) && !empty( $_GET['redirect_to'] ) )
15 {
16 echo $_GET['redirect_to'];
17 if( strpos( $_GET['redirect_to'], '?' ) === 
false && substr( $_GET['page'], -1 ) !== '/') {
18 echo '/';
19 }
20 }
21 else
22 {
23 echo './';
24 }

line 16 shows that the echo is done without parsing the redirect_to field's value or remove any potentially malicious HMTL/JavaScript.


Uncontrolled Redirect:

line 43 shows that unsanitized and uncontrolled data from the redirect_to field is used to build redirects, meaning that attackers will be able to redirect victims to arbitrary domains.


Popular posts from this blog

The Science of Google Dorking


Show more