Latest Blogs

News
We've been through a hard time during 2020 and thank you so much for being accompanied by us, as well as your great support. Let's say goodbye to 2020 and welcome the new year of 2021 with better things. Looking back to the old year, the team was wor...
438 Hits
News
Christmas and New Year 2021 are knocking on our doors. We've been through a busy and hard time of the year 2020. We would like to give you a big thank you for being accompanied by us for the whole year. It's time to enjoy our Christmas...
719 Hits
News
Hi guys, We're so pleased to announce a brand-new Joomla template recently released. It's Educab exclusively designed for any educational websites like courses, school, college, university, or academic institutions. It was developed to bring a f...
655 Hits
News
Hi guys, Black Friday is just around the corner. There is no doubt that this will be the best time of the year to invest your money in premium items at the least price. Therefore, you can have a chance to enhance your website to a new level by u...
1559 Hits
Articles
If you're planning to build a construction website for your companies or your clients, why not finding an ideal Joomla template to fit all your needs instead of spending a lot of money paying a professional for his job. Yes, I mean you can easily est...
1431 Hits
Report: XSS vulnerability in the prettyPhoto jQuery library

Report: XSS vulnerability in the prettyPhoto jQuery library

Dear beloved customers, today we’re going to give you an important alert about a serious vulnerability that calls XSS (Cross Site Scripting) appearing in prettyPhoto - a plugin for creating slides of images, effects, gallery in Joomla and WordPress webpages.

XSS (XSS) is one of the most common application layer hacking techniques. XSS enables attackers to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data.

How is XSS doing in prettyPhoto? Let come along with us to figure it out.

Using a dork: “inurl: / wp-content / plugins / prettyPhoto” to find out the vulnerable websites.

xss1

As a result, there are 7300 WordPress sites. After searching for the source code version and looking at the javascript or CSS files, both 3.1.4 and 3.1.5 of prettyPhoto allow the execution code.

xss2

Next, “a document.write” is used to define XSS:

“URL/#prettyPhoto[gallery]/1, / ”

We can see that XSS causes dangerous problems: Denial of Service, redirects, cookies theft, alerts, html code injection...

Then we use “URL / # prettyPhoto [gallery] / 1, /” to get the second XSS, and this is the first serious stage a robbery of cookies, making as follows:

“URL / # prettyPhoto [gallery] / 1, /”

"As a hacking tool, attackers can formulate and distribute a custom-crafted CSS URL by using a browser to test the dynamic website response. The attackers also need to know about some HTML, JavaScript and a dynamic language to build a URL which is not suspicious-looking to attack a XSS vulnerable website." - a blog quote. To know clearly about XSS, you can view a blog at this link

Because of the danger from XSS, WordPress themes, Joomla templates, or other extensions, plugins, documentation which are in version 3.1.5 of prettyPhoto are required to update version 3.1.6 as soon as possible. The vulnerability is fixed in prettyPhoto version 3.1.6.

By updating the version 3.1.6, it will help you to protect your website and you don’t have to worry about the dangers anymore. And just share this post to let other people know!

REFERENCES:

http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html

http://www.acunetix.com/blog/articles/preventing-xss-attacks/

Thanks all guy for reading the article!

How to Get Support from TemPlaza
Team Up: TemPlaza and JoomlaShine

By accepting you will be accessing a service provided by a third-party external to https://www.templaza.com/