Amazon Captcha Cracked

Note:
I am looking for a job in information security domain. Any lead or link is highly appreciable.

## FULL DISCLOSURE

#Exploit Author : Rahul Pratap Singh
#Home page Link : http://www.amazon.com
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 1/5/2016

—————————————-
Description:
—————————————-
Amazon has implemented a weak captcha which could be cracked easily.

—————————————-
POC:
—————————————-

Vulnerability Disclosure Timeline:
→ March 28, 2016  – Bug discovered, initial report to Amazon Security Team
→ March 29, 2016  – Vendor Response. Case number assigned.
→ March 31, 2016  – Vendor Response. Weak captcha is intentional. Have additional                                                    controls in place to detect and respond to this type of issue.
→ March 31, 2016  – No Fix.

Thanks to Debasish Mandal for the original script.

Exploit-DB Captcha Cracked

Note:
I am looking for a job in information security domain. Any lead or link is highly appreciable.

## FULL DISCLOSURE

#Exploit Author : Rahul Pratap Singh
#Home page Link : https://www.exploit-db.com/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 1/5/2016

—————————————-
Description:
—————————————-
Exploit-DB implemented a weak captcha which could be cracked easily.

—————————————-
POC:
—————————————-

Vulnerability Disclosure Timeline:
→ March 19, 2016  – Bug discovered, initial report to Offensive Security Team
→ March 23, 2016  – No Response. Bug Patched, Google Re-Captcha Implemented
→ March 23, 2016  – Email sent again for update
→ March 23, 2016  – Vendor Response. Captcha Bypass not a security Issue

Thanks to Debasish Mandal for the original script.

Advanced Custom Fields Auth XSS Vulnerability

Note:
I am looking for a job in information security domain. Any lead or link is highly appreciable.

## FULL DISCLOSURE

#Product : Advanced Custom Fields
#Exploit Author : Rahul Pratap Singh
#Version : 4.4.7
#Home page Link :https://wordpress.org/plugins/advanced-custom-fields/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 1/5/2016

Authenticated XSS Vulnerability:

—————————————-
Description:
—————————————-
“type, label, name and field” parameters are not sanitized that leads to XSS.

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/advanced-custom-fields/core/views/meta_box_fields.php

Found at line:97

<div class=”field field_type-<?php echo $field[‘type’]; ?> field_key-<?php echo $field[‘key’]; ?>” data-type=”<?php echo $field[‘type’]; ?>” data-id=”<?php echo $field[‘key’]; ?>”>

Found at line:105

<a class=”acf_edit_field row-title” title=”<?php _e(“Edit this Field”,’acf’); ?>” href=”javascript:;”><?php echo $field[‘label’]; ?></a>

Found at line:113

<td class=”field_name”><?php echo $field[‘name’]; ?></td>

Found at line:251

<input class=”conditional-logic-field” type=”hidden” name=”fields[<?php echo $field[‘key’]; ?>][conditional_logic][rules][<?php echo $rule_i; ?>][field]” value=”<?php echo $rule[‘field’]; ?>” />

—————————————-
POC:
—————————————-
advanced-custom-fields-xss1

Fix:
No Fix

Vulnerability Disclosure Timeline:
→ April 24, 2016  – Contact to Vendor via support
→ April 24, 2015  – Vendor Response
→ April 27, 2015  – Bug Report Sent
→ April 27, 2015  – Vendor Response, asked for more info
→ April 28, 2015  – More info sent
→ April 29, 2015  – No fix. To do list for version 5.0

CM-AD-Changer XSS Vulnerability

## FULL DISCLOSURE

#Product : cm-ad-changer
#Exploit Author : Rahul Pratap Singh
#Version :1.7.2
#Home page Link : https://wordpress.org/plugins/cm-ad-changer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
Following  parameters are not sanitized that leads to XSS Vulnerability.

title, comment, link

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/cm-ad-changer/backend/views/admin_settings.php
Found at line:61
<input type=”checkbox” name=”acs_active” id=”acs_active” value=”1″ <?php echo ($fields_data[‘acs_active’] == ‘1’ ? ‘checked=checked’ : ”) ?> />
Found at line:73

<textarea id=”acs_custom_css” name=”acs_custom_css” rows=7 value=”<?php echo stripslashes($fields_data[‘acs_custom_css’]) ?>”><?php echo stripslashes($fields_data[‘acs_custom_css’]) ?></textarea>

File Name: testfiles/cm-ad-changer/backend/views/admin_campaigns.php
Found at line:96
<textarea value=”<?php echo (isset($fields_data[‘comment’]) ? stripslashes($fields_data[‘comment’]) : ”) ?>” name=”comment” id=”comment”><?php echo (isset($fields_data[‘comment’]) ? stripslashes($fields_data[‘comment’]) : ”) ?></textarea>

—————————————-
POC:
—————————————-
CM Ad Changer XSS PocCM Ad Changer XSS Poc1

Fix:
Update to 1.7.6

Vulnerability Disclosure Timeline:
→ March 14, 2016  – Bug discovered, initial report to Vendor.
→ March 22, 2016  – No Response. Report sent again.
→ March 23, 2016  – WordPress Acknowledged.
→ April 21, 2016  – Full Disclosure.

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes/

Unlimited Pop-Ups WordPress Plugin XSS Vulnerability

## FULL DISCLOSURE

#Product : Unlimited Pop-Ups WordPress Plugin
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.3
#Home page Link : http://codecanyon.net/item/unlimited-popups-wordpress-plugin/8575498
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“callback, shortcode, id, and page”  parameters are not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/admin_form.php
Found at line:1319

echo ‘<form action=”‘.admin_url(‘admin.php?page=’.cjpopups_item_info(‘page_slug’).’&callback=’.@$_GET[‘callback’].”).'” method=”post” enctype=”multipart/form-data”>’;

File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/admin_ajax.php
Found at line:162

echo ‘<form action=”” method=”post” id=”cj-shortcode-settings-form” data-shortcode-stype=”‘.$shortcode_options[‘stype’].'” data-shortcode-name=”‘.$_POST[‘shortcode’].'”>’;

File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/sample-code/dynamic-sidebar-setup/theme_dynamic_sidebars.php
Found at line:139

<td><?php echo $_GET[‘id’]; ?></td>

File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/options/core_import_export.php
Found at line:94

echo ‘<form class=”margin-30-top” action=”‘.admin_url(‘admin.php?page=’.@$_GET[‘page’].’&callback=’.@$_GET[‘callback’].”).'” method=”post” enctype=”multipart/form-data”>’;

—————————————-

Fix:
Update to 1.4.4

Vulnerability Disclosure Timeline:
→ March 12, 2016  – Bug discovered, initial report to Vendor
→ March 14, 2016  – Vendor Acknowledged
→ March 30, 2016  – Vendor Deployed a Patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
http://codecanyon.net/item/unlimited-popups-wordpress-plugin/8575498

Google SEO Pressor Snippet Plugin XSS Vulnerability

## FULL DISCLOSURE

#Product : Google SEO Pressor Snippet Plugin
#Exploit Author : Rahul Pratap Singh
#Version :1.2.6
#Home page Link : https://wordpress.org/plugins/google-seo-author-snippets/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
Following  parameters are not sanitized that leads to XSS Vulnerability.

Event Name, Events Url, Photo, Location ,Start Date, End Date, Street Address, Address Locality, Address Region, Longitude, Latitude, Event type, Offer aggregate, Low Price, High Price, Offer Url, Price, Events Website, Offer Quantity, Price valid Until, Tickets currency

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/google-seo-author-snippets/create_meta_box.php
$videos_value=get_post_meta($post->ID,$videos_id,true);
                         ?>
                        <tr> <th>
                         <label for=”google_seo_meta_title”><?php  _e( $videos_title );  ?></label>
                          </th>
                          <td><?php
        if(isset($videos_field[‘type’]) && ($videos_field[‘type’]==’datepicker’)){
                                   echo ‘<input type=”date” id=”‘.$videos_field[‘id’].'” name=”‘.$videos_field[‘id’].'” value=”‘.$videos_value.'” />’;
                       echo ”.
                     ‘       jQuery(document).ready(function($) {‘.
                     ‘          var dateField = “‘. $videos_field[‘id’] .'”;’.
                     ‘          $(\’#\’+dateField).datepick({ ‘.
                     ‘           minDate: new Date()’.
                     ‘          });’.
                     ‘       });’.
                     ”;
}else{ ?>
                                <input type=”text” id=”<?php echo $videos_id; ?>” name=”<?php echo $videos_id; ?>”  class=”large-text”  value=”<?php echo $videos_value; ?>” />     <?php }?>

—————————————-
POC:
—————————————-
Google SEO Pressor Snippet Plugin XSS

Fix:
No fix Available

Vulnerability Disclosure Timeline:
→ March 03, 2016  – Bug discovered, initial report to WordPress.
→ March 07, 2016  – No, response. Report sent again.
→ March 08, 2016  – WordPress Acknowledged. Plugin taken down.
→ April 21, 2016  – Plugin still down. No patch available.

Pub Ref:
https://wordpress.org/plugins/google-seo-author-snippets/

Echosign Plugin for WordPress XSS Vulnerability

## FULL DISCLOSURE

#Product : Echosign Plugin
#Exploit Author : Rahul Pratap Singh
#Version :1.1
#Home page Link : https://wordpress.org/plugins/echosign/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“Page” and “id”  parameters are not sanitized that leads to XSS Vulnerability.

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/echosign/inc.php
Found at line:199

<input type=”hidden” name=”page” value=”<?php echo $_REQUEST[‘page’]; ?>” />

File Name: testfiles/echosign/templates/add_templates.php
Found at line:31
<input type = ‘hidden’ name = ‘id’  value = ‘<?php echo $_REQUEST[‘id’]; ?>’>

—————————————-

Fix:
No fix Available

Vulnerability Disclosure Timeline:
→ March 03, 2016  – Bug discovered, initial report to WordPress.
→ March 07, 2016  – No, response. Report sent again.
→ March 08, 2016  – WordPress Acknowledged. Plugin taken down.
→ April 21, 2016  – Plugin still down. No patch available.

Pub Ref:
https://wordpress.org/plugins/echosign/

Tweet-wheel XSS Vulnerability

## FULL DISCLOSURE

#Product :Tweet-wheel
#Exploit Author : Rahul Pratap Singh
#Version :1.0.3.2
#Home page Link : https://wordpress.org/plugins/tweet-wheel/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
Following  parameters are not sanitized that leads to XSS Vulnerability.

consumer_key,consumer_secret,access_token,access_token_secret

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/tweet-wheel/includes/views/auth.php
Found at line:34
<input style=”width:400px” type=”text” name=”consumer_key” value=”<?php echo isset( $_POST[‘consumer_key’] ) ? $_POST[‘consumer_key’] : ”; ?>”>
Found at line:40
<input style=”width:400px” type=”text” name=”consumer_secret” value=”<?php echo isset( $_POST[‘consumer_secret’] ) ? $_POST[‘consumer_secret’] : ”; ?>”>
Found at line:46
<input style=”width:400px” type=”text” name=”access_token” value=”<?php echo isset( $_POST[‘access_token’] ) ? $_POST[‘access_token’] : ”; ?>”>
Found at line:52
<input style=”width:400px” type=”text” name=”access_token_secret” value=”<?php echo isset( $_POST[‘access_token_secret’] ) ? $_POST[‘access_token_secret’] : ”; ?>”>

—————————————-

Fix:
Update to 1.0.4

Vulnerability Disclosure Timeline:
→ March 14, 2016  – Bug discovered, initial report to Vendor.
→ March 22, 2016  – No Response. Report sent again.
→ March 23, 2016  – WordPress Acknowledged.
→ April 21, 2016  – Full Disclosure.

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/tweet-wheel/changelog/

Persian-woocommerce-sms XSS Vulnerability

## FULL DISCLOSURE

#Product :Persian-woocommerce-sms
#Exploit Author : Rahul Pratap Singh
#Version :3.3.2
#Home page Link : https://wordpress.org/plugins/persian-woocommerce-sms/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“ps_sms_numbers”  parameter is not sanitized that leads to XSS Vulnerability.

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/persian-woocommerce-sms/lib/class.bulk.send.php
Found at line:45
value=”<?php echo isset($_POST[‘ps_sms_numbers’]) ? $_POST[‘ps_sms_numbers’] : ” ?>” style=”direction:ltr; text-align:left; width:700px; max-width:100% !important”/><br/>

—————————————-

Fix:
Update to 3.3.4

Vulnerability Disclosure Timeline:
→ March 14, 2016  – Bug discovered, initial report to Vendor.
→ March 22, 2016  – No Response. Report sent again.
→ March 23, 2016  – WordPress Acknowledged.
→ April 21, 2016  – Full Disclosure.

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/persian-woocommerce-sms/changelog/