Latest Blogs

Articles
Are you a tour agency running a great business and needing to build a great website? This tutorial will give you step-by-step guidelines from the beginning how to build a website with Aventura WordPress Theme – an ultimate solution for your tr...
8 Hits
News
Dear beloved friends and fans!First of all, I hope you're staying healthy and staying safe in your place. The world has been experiencing a tough time because of the COVID-19 pandemic. As you know, TemPlaza did start the support c...
367 Hits
Articles
It is obvious that a great event website easily convinces potential attendees and effortlessly engages them to join your event. This is true for both event websites and other ones in other fields. So how can you create a perfect event website ...
487 Hits
Articles
Shopify is concerned as a leading eCommerce platform that offers such a bunch of stunning features to boost your business activities. Building a beautiful and attractive photo gallery is a good way to show off your products, dedicate works to visitor...
465 Hits
News
Hello guys,We are extremely excited to inform you that a new version of AutoShowroom WordPress Theme has already been released - version 1.9.3.Autoshowroom is known as an ultimate solution for car dealership websites. However, to make it become more ...
500 Hits
Report: XSS vulnerability in the prettyPhoto jQuery library

Report: XSS vulnerability in the prettyPhoto jQuery library

Dear beloved customers, today we’re going to give you an important alert about a serious vulnerability that calls XSS (Cross Site Scripting) appearing in prettyPhoto - a plugin for creating slides of images, effects, gallery in Joomla and WordPress webpages.

XSS (XSS) is one of the most common application layer hacking techniques. XSS enables attackers to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data.

How is XSS doing in prettyPhoto? Let come along with us to figure it out.

Using a dork: “inurl: / wp-content / plugins / prettyPhoto” to find out the vulnerable websites.

xss1

As a result, there are 7300 WordPress sites. After searching for the source code version and looking at the javascript or CSS files, both 3.1.4 and 3.1.5 of prettyPhoto allow the execution code.

xss2

Next, “a document.write” is used to define XSS:

“URL/#prettyPhoto[gallery]/1, / ”

We can see that XSS causes dangerous problems: Denial of Service, redirects, cookies theft, alerts, html code injection...

Then we use “URL / # prettyPhoto [gallery] / 1, /” to get the second XSS, and this is the first serious stage a robbery of cookies, making as follows:

“URL / # prettyPhoto [gallery] / 1, /”

"As a hacking tool, attackers can formulate and distribute a custom-crafted CSS URL by using a browser to test the dynamic website response. The attackers also need to know about some HTML, JavaScript and a dynamic language to build a URL which is not suspicious-looking to attack a XSS vulnerable website." - a blog quote. To know clearly about XSS, you can view a blog at this link

Because of the danger from XSS, WordPress themes, Joomla templates, or other extensions, plugins, documentation which are in version 3.1.5 of prettyPhoto are required to update version 3.1.6 as soon as possible. The vulnerability is fixed in prettyPhoto version 3.1.6.

By updating the version 3.1.6, it will help you to protect your website and you don’t have to worry about the dangers anymore. And just share this post to let other people know!

REFERENCES:

http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html

http://www.acunetix.com/blog/articles/preventing-xss-attacks/

Thanks all guy for reading the article!

How to Get Support from TemPlaza
Team Up: TemPlaza and JoomlaShine