鸿 网 互 联 www.68idc.cn

当前位置 : 服务器租用 > 网站安全 > 安全设置 > >

Wordpress插件Quick Contact Form 6.0 持久型xss

来源:互联网 作者:佚名 时间:2015-08-30 06:40
=======================标题=====Quick Contact Form - Persistent Cross Site Scripting Vulnerability作者======Zy0d0x开发者======Quick Plugins - http://quick-plugins.com/受影响产品================Quick Contact Form Wordpress Plugin Version 6.
=======================
标题
=====
 
Quick Contact Form - Persistent Cross Site Scripting Vulnerability
 
作者
======
 
Zy0d0x
 
开发者
======
 
Quick Plugins - http://quick-plugins.com/
 
受影响产品
================
 
Quick Contact Form  Wordpress Plugin Version 6.0 possibly earlier
 
 
VULNERABILITY CLASS
===================
 
Cross-Site Scripting
 
 
描述
===========
 
 
Quick Contact Form suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the qcfname4 paramater.
Other input fields are also effective to reflective cross site scripting.
 
 
测试证明
================
 
Enter the following into the field where Quick Contact Form requests a Message.
 
--- SNIP ---
 
"><script>alert(String.fromCharCode(90,121,48,100,48,120))</script><
 
--- SNIP ---
 
If the message has been sent successfully a alert diolog will apear containing Zy0d0x when an user checks there message in the dashboard.
 
 
影响
======
 
An attacker could potentially hijack session authentication tokes of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and operating system of the victim.
 
 级别
============
高危
 
状态
======
新版v6.1已经修复
 
 

 

网友评论
<