Home » Archive

Articles in the Vulnerabilities Category

Vulnerabilities »

[2 Jul 2012 | No Comment | ]

The “URL Cloak & Encrypt” wordpress plugin is vulnerable to cross site scripting.
Vulnerable code:
if(strpos($url,’http://’)===false&&strpos($url,’https://’)===false) $url = base64_decode($url);
POC:
http://{SITE_URL}/wp-content/plugins/url-cloak-encrypt/url.php?id=Ij48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0PjwhLS0=
(base64 encoded value of “><script>alert(‘XSS’)</script><!–)
How to fix:
Edit this
echo ‘<meta http-equiv=”refresh” content=”‘.(html_entity_decode($wp_letsfxurl_arr[‘red’])).’;url=http://j.letsw.com/?’.$url.’”>’;
$aurl = “<a href=\”http://j.letsw.com/?$url\” style=\”text-align:center;\” rel=\”nofollow\”>$url</a><br>”;
To
echo ‘<meta http-equiv=”refresh” content=”‘.(html_entity_decode($wp_letsfxurl_arr[‘red’])).’;url=http://j.letsw.com/?’.str_replace(‘”‘,”,strip_tags($url)).’”>’;
$aurl = “<a href=\”http://j.letsw.com/?”.str_replace(‘”‘,”,strip_tags($url)).”\” style=\”text-align:center;\” rel=\”nofollow\”>$url</a><br>”;
Advice:
Remove that plugin, it’s not only bad for your SEO but it’s also full of hidden iframes and redirect to the author site (or affiliated with him).
Plus the URL is predictable, doesn’t really “cloak” the url it just obfuscate it which is useless.