Report: XSS vulnerability in the prettyPhoto jQuery library

Dear beloved customers, today we’re going to give you an important alert about a serious vulnerability that calls XSS (Cross Site Scripting) appearing in prettyPhoto - a plugin for creating slides of images, effects, gallery in Joomla and WordPress webpages.

XSS (XSS) is one of the most common application layer hacking techniques. XSS enables attackers to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data.

How is XSS doing in prettyPhoto? Let come along with us to figure it out.

Using a dork: “inurl: / wp-content / plugins / prettyPhoto” to find out the vulnerable websites.

xss1

As a result, there are 7300 WordPress sites. After searching for the source code version and looking at the javascript or CSS files, both 3.1.4 and 3.1.5 of prettyPhoto allow the execution code.

xss2

Next, “a document.write” is used to define XSS:

“URL/#prettyPhoto[gallery]/1, / ”

We can see that XSS causes dangerous problems: Denial of Service, redirects, cookies theft, alerts, html code injection...

Then we use “URL / # prettyPhoto [gallery] / 1, /” to get the second XSS, and this is the first serious stage a robbery of cookies, making as follows:

“URL / # prettyPhoto [gallery] / 1, /”

"As a hacking tool, attackers can formulate and distribute a custom-crafted CSS URL by using a browser to test the dynamic website response. The attackers also need to know about some HTML, JavaScript and a dynamic language to build a URL which is not suspicious-looking to attack a XSS vulnerable website." - a blog quote. To know clearly about XSS, you can view a blog at this link

Because of the danger from XSS, WordPress themes, Joomla templates, or other extensions, plugins, documentation which are in version 3.1.5 of prettyPhoto are required to update version 3.1.6 as soon as possible. The vulnerability is fixed in prettyPhoto version 3.1.6.

By updating the version 3.1.6, it will help you to protect your website and you don’t have to worry about the dangers anymore. And just share this post to let other people know!

REFERENCES:

http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html

http://www.acunetix.com/blog/articles/preventing-xss-attacks/

Thanks all guy for reading the article!