Thanks for this. I wasn't able to produce that result at first and was
thrown off by the "multiple WordPress theme" prognosis. We'll make
adjustments on our end to address this.
Post by Christian FischerHi,
thanks for the IP. Was was able to reproduce this and can confirm that
this is definitely NOT a false positive.
If you open up the URL (which is now reported in the new version of the
plugin) you will find this vulnerable URL (replace example.com with the
https://example.com/?s=%22%20%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
the XSS gets triggered in your browser (as long as you're not using a
tool like NoScript or a Browser with build in XSS protection).
The embedded source code on the target page looks like the following
(there are four different places in the HTML where the JS is embedded,
<h1 class = 'results' ><span>0</span> Results For ""
<script>alert(document.cookie)</script>"</h1>
<a href="/?s=" ><script>alert(document.cookie)</script>">
<li class="results product-search-results"><a
href="/products/product-search/?product_name="
<script>alert(document.cookie)</script>&department-product-search=all-products"><span>0</span>
Products Found | View </a></li>
<input type="text" class="form-control" name="s" placeholder="Search"
autocomplete = 'off' ng-model="searchcrit" value="\"
<script>alert(document.cookie)</script>" >
Regards,
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 OsnabrÃŒck, Germany | AG OsnabrÃŒck, HR B 202460
GeschÀftsfÌhrer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Thanks for your responses.
I am troubleshooting a 3rd party vendor scanning a client's systems. I
don't have information on the versions they are using, but I can tell
you the information that I do have.
1) The scan target is 52.21.123.105
2) There's only one theme installed /wp-content/themes/mx-theme/
3) There are no other themes in /wp-content/themes/
4) The theme in question includes URL parameters in the HTML body, but
the html entities are properly escaped.
Any assistance is greatly appreciated.
Thanks again,
-Brenton
On Tue, May 8, 2018 at 3:11 AM, Christian Fischer
Hi *,
Hi,
Post by R. Brenton StricklerHi all,
I believe I've stumbled across a bug
in gb_wordpress_mult_themes_xss_vuln.nasl while reviewing a scan.
http://plugins.openvas.org/nasl.php?oid=802250
<http://plugins.openvas.org/nasl.php?oid=802250>
Post by R. Brenton Stricklerif(http_vuln_check(port: port, url: dir + xploits[xploit],
xploit, check_header:TRUE))
if(http_vuln_check(port: port, url: dir + xploits[xploit],
xploits[xploit], check_header:TRUE))
No, it's proper(should be xploit). Here we want check only executed
payload from the response.
Not payload along with the parameters.
Exactly. The checks are in a form of an array so on the first
iteration
xploit = ><script>alert\(document.cookie\)</script>
xploits[xploit] =
/?s=%22%20%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
thus the "http_vuln_check()" is requesting the url from
"xploits[xploit]" and then checks the response of that request
against
the regex pattern from "xploit".
May be other reason for reporting FP for you. If you provide more
details about installed
versions and responses from server, It will be easy to look into
this.
Additionally the question is if this is really a FP or is there any
Theme installed with might be still vulnerable to the same
vulnerability
but not described in that plugin?
The next feed-update (once the NVT reaches Revision r9750) the URL
where
the vulnerability was detected should be included in the report
output.
This might help you to gather more information on this.
Regards,
_______________________________________________
Openvas-plugins mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins