Latest Blogs

News
We're happy to inform you of a new version of Musika - Music Bands, Festivals, and Events Joomla Template released. If you're emerging as a talented musician or a well-known music band, owning an online website is a great way to target a mass audienc...
5 Hits
News
Hello guys,We are so pleased to announce that the Home Boat 2 version has already available and included in the AutoShowroom WordPress Theme package. If you are searching for a flexible theme to promote your car or boat business, Auto Showroom i...
5 Hits
Articles
​Are you in the boat and ships dealership or rental business and having a great appetite for creating a professional website? Among a massive collection of WordPress Themes on the internet, it is really difficult to choose a suitable one for your web...
586 Hits
Articles
Are you a tour agency running a great business and needing to build a great website? This tutorial will give you step-by-step guidelines from the beginning how to build a website with Aventura WordPress Theme – an ultimate solution for your tr...
655 Hits
News
Dear beloved friends and fans!First of all, I hope you're staying healthy and staying safe in your place. The world has been experiencing a tough time because of the COVID-19 pandemic. As you know, TemPlaza did start the support c...
701 Hits
Report: XSS vulnerability in the prettyPhoto jQuery library

Report: XSS vulnerability in the prettyPhoto jQuery library

Dear beloved customers, today we’re going to give you an important alert about a serious vulnerability that calls XSS (Cross Site Scripting) appearing in prettyPhoto - a plugin for creating slides of images, effects, gallery in Joomla and WordPress webpages.

XSS (XSS) is one of the most common application layer hacking techniques. XSS enables attackers to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data.

How is XSS doing in prettyPhoto? Let come along with us to figure it out.

Using a dork: “inurl: / wp-content / plugins / prettyPhoto” to find out the vulnerable websites.

xss1

As a result, there are 7300 WordPress sites. After searching for the source code version and looking at the javascript or CSS files, both 3.1.4 and 3.1.5 of prettyPhoto allow the execution code.

xss2

Next, “a document.write” is used to define XSS:

“URL/#prettyPhoto[gallery]/1, / ”

We can see that XSS causes dangerous problems: Denial of Service, redirects, cookies theft, alerts, html code injection...

Then we use “URL / # prettyPhoto [gallery] / 1, /” to get the second XSS, and this is the first serious stage a robbery of cookies, making as follows:

“URL / # prettyPhoto [gallery] / 1, /”

"As a hacking tool, attackers can formulate and distribute a custom-crafted CSS URL by using a browser to test the dynamic website response. The attackers also need to know about some HTML, JavaScript and a dynamic language to build a URL which is not suspicious-looking to attack a XSS vulnerable website." - a blog quote. To know clearly about XSS, you can view a blog at this link

Because of the danger from XSS, WordPress themes, Joomla templates, or other extensions, plugins, documentation which are in version 3.1.5 of prettyPhoto are required to update version 3.1.6 as soon as possible. The vulnerability is fixed in prettyPhoto version 3.1.6.

By updating the version 3.1.6, it will help you to protect your website and you don’t have to worry about the dangers anymore. And just share this post to let other people know!

REFERENCES:

http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html

http://www.acunetix.com/blog/articles/preventing-xss-attacks/

Thanks all guy for reading the article!

How to Get Support from TemPlaza
Team Up: TemPlaza and JoomlaShine

By accepting you will be accessing a service provided by a third-party external to https://www.templaza.com/