CM-AD-Changer XSS Vulnerability

## FULL DISCLOSURE

#Product : cm-ad-changer
#Exploit Author : Rahul Pratap Singh
#Version :1.7.2
#Home page Link : https://wordpress.org/plugins/cm-ad-changer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
Following  parameters are not sanitized that leads to XSS Vulnerability.

title, comment, link

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/cm-ad-changer/backend/views/admin_settings.php
Found at line:61
<input type=”checkbox” name=”acs_active” id=”acs_active” value=”1″ <?php echo ($fields_data[‘acs_active’] == ‘1’ ? ‘checked=checked’ : ”) ?> />
Found at line:73

<textarea id=”acs_custom_css” name=”acs_custom_css” rows=7 value=”<?php echo stripslashes($fields_data[‘acs_custom_css’]) ?>”><?php echo stripslashes($fields_data[‘acs_custom_css’]) ?></textarea>

File Name: testfiles/cm-ad-changer/backend/views/admin_campaigns.php
Found at line:96
<textarea value=”<?php echo (isset($fields_data[‘comment’]) ? stripslashes($fields_data[‘comment’]) : ”) ?>” name=”comment” id=”comment”><?php echo (isset($fields_data[‘comment’]) ? stripslashes($fields_data[‘comment’]) : ”) ?></textarea>

—————————————-
POC:
—————————————-
CM Ad Changer XSS PocCM Ad Changer XSS Poc1

Fix:
Update to 1.7.6

Vulnerability Disclosure Timeline:
→ March 14, 2016  – Bug discovered, initial report to Vendor.
→ March 22, 2016  – No Response. Report sent again.
→ March 23, 2016  – WordPress Acknowledged.
→ April 21, 2016  – Full Disclosure.

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s