Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: XSS Vulnerability Report

  1. #1
    Thread Starter
    danroseman's Avatar
    Join Date
    Jan 2012
    Location
    United States
    Posts
    147
    Thanks
    14
    Thanked 2 Times in 2 Posts

    XSS Vulnerability Report

    Hi there,

    We received the following bug report for our website, Coinality.com:

    The Vulnerability Type: XSS (Reflected Cross Site Scripting)
    Severity: High Risk
    Affected Parameter: The "full_address" parameter in the theme search function.
    Description:
    The Vulnerability is exploited by injecting a malicious javascript code inside the affected parameter which is then executed as a stored XSS vulnerability.
    Impact:
    This Vulnerability can be used to generally execute a malicious javascript code at the client-side browser which may lead :


    1- Obtaining a full access to the victim PC, and have a full control over it.
    2- Redirect the User to a malicious worm/spam/phishing website.
    3- Making a scam form to steal victim credentials, such as Username and password...etc.
    4- Targeting the Web Admin to steal authentication cookies, leading to full site control.
    5- Stealing the Cookies of Any user.



    How to reproduce: click the links below (tested on firefox)
    https://coinality.com/?s=anything&location='">&ptype=job_listing&latitude='">&longitude='">&f ull_address='"><script>alert(document.cookie)</script>&north_east_lng=&south_west_lng=&north_east _lat=&south_west_lat=&radius=5'">


    https://coinality.com/?s=anything&location='">&ptype=job_listing&latitude='">&longitude='">&f ull_address='"><img src=x onerror=alert(document.domain)>&north_east_lng=&so uth_west_lng=&north_east_lat=&south_west_lat=&radi us=5'">


    Please let us know what we can do to fix this.

    Thanks!

  2. #2
    jomarkosabel's Avatar
    Join Date
    Mar 2009
    Location
    Philippines
    Posts
    41,006
    Thanks
    170
    Thanked 3,409 Times in 3,280 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!
    Please help our moderating team work more efficiently by not sending us support questions via PM. You can read more about how AppThemes support works here. However, you can send a PM to follow up and remind me if I missed your support request/thread.

    Thank you and have a nice day.

  3. #3
    Thread Starter
    danroseman's Avatar
    Join Date
    Jan 2012
    Location
    United States
    Posts
    147
    Thanks
    14
    Thanked 2 Times in 2 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!

  4. #4
    jomarkosabel's Avatar
    Join Date
    Mar 2009
    Location
    Philippines
    Posts
    41,006
    Thanks
    170
    Thanked 3,409 Times in 3,280 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!
    Last edited by jomarkosabel; February 19th, 2015 at 12:41 PM.
    Please help our moderating team work more efficiently by not sending us support questions via PM. You can read more about how AppThemes support works here. However, you can send a PM to follow up and remind me if I missed your support request/thread.

    Thank you and have a nice day.

  5. #5
    Thread Starter
    danroseman's Avatar
    Join Date
    Jan 2012
    Location
    United States
    Posts
    147
    Thanks
    14
    Thanked 2 Times in 2 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!

  6. #6
    jomarkosabel's Avatar
    Join Date
    Mar 2009
    Location
    Philippines
    Posts
    41,006
    Thanks
    170
    Thanked 3,409 Times in 3,280 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!
    Last edited by jomarkosabel; February 27th, 2015 at 12:54 PM.
    Please help our moderating team work more efficiently by not sending us support questions via PM. You can read more about how AppThemes support works here. However, you can send a PM to follow up and remind me if I missed your support request/thread.

    Thank you and have a nice day.

  7. #7
    Thread Starter
    danroseman's Avatar
    Join Date
    Jan 2012
    Location
    United States
    Posts
    147
    Thanks
    14
    Thanked 2 Times in 2 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!

  8. #8
    jomarkosabel's Avatar
    Join Date
    Mar 2009
    Location
    Philippines
    Posts
    41,006
    Thanks
    170
    Thanked 3,409 Times in 3,280 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!
    Please help our moderating team work more efficiently by not sending us support questions via PM. You can read more about how AppThemes support works here. However, you can send a PM to follow up and remind me if I missed your support request/thread.

    Thank you and have a nice day.

  9. #9
    Thread Starter
    danroseman's Avatar
    Join Date
    Jan 2012
    Location
    United States
    Posts
    147
    Thanks
    14
    Thanked 2 Times in 2 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!

  10. #10
    jomarkosabel's Avatar
    Join Date
    Mar 2009
    Location
    Philippines
    Posts
    41,006
    Thanks
    170
    Thanked 3,409 Times in 3,280 Posts
    You must be an AppThemes customer and logged in to view this response. Join today!
    Please help our moderating team work more efficiently by not sending us support questions via PM. You can read more about how AppThemes support works here. However, you can send a PM to follow up and remind me if I missed your support request/thread.

    Thank you and have a nice day.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Security Vulnerability for Revslider Plugin **IMPORTANT**
    By reiost in forum ClassiPress General Discussion
    Replies: 1
    Last Post: December 17th, 2014, 06:04 AM
  2. Cross Site Scripting (XSS) Vulnerability
    By bhunt in forum Report JobRoller Bugs
    Replies: 3
    Last Post: December 5th, 2014, 10:38 AM
  3. Jomark SSL Vulnerability; Insecure Sources
    By danroseman in forum Report JobRoller Bugs
    Replies: 2
    Last Post: August 28th, 2013, 02:31 PM
  4. Classipress vulnerability
    By aubertin in forum Report ClassiPress Bugs
    Replies: 1
    Last Post: February 1st, 2012, 02:22 PM
  5. [SOLVED] TimThumb vulnerability?
    By rodeoramsey in forum Report ClassiPress Bugs
    Replies: 2
    Last Post: October 23rd, 2011, 05:44 PM