mikejolley / sidebar-login

Easily add an ajax-enhanced login widget to your WordPress site sidebar.

Home Page:http://wordpress.org/extend/plugins/sidebar-login/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

XSS possible

tuxlife opened this issue · comments

if you open

http://example.org/?"><script>alert(1);</script><"

the JavaScript is executes and displaying the alarm.

<li id="wp_sidebarlogin-4" class="widget-container widget_wp_sidebarlogin"><h3 class="widget-title"><span>Login</span></h3>                <form method="post" action="http://example.org/?"><script>alert(1)</script><"&_login=3789819747">

                        <p><label for="user_login">Benutzername:</label> <input name="log" value="" class="text" id="user_login" type="text" /></p>
                        <p><label for="user_pass">Passwort:</label> <input name="pwd" class="text" id="user_pass" type="password" /></p>


                        <p class="rememberme"><input name="rememberme" class="checkbox" id="rememberme" value="forever" type="checkbox" /> <label for="rememberme">Eingeloggt bleiben</label></p>

                        <p class="submit">
                                <input type="submit" name="wp-submit" id="wp-submit" value="Login &raquo;" />
                                <input type="hidden" name="redirect_to" class="redirect_to" value="http://example.org/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3C%22" />
                                <input type="hidden" name="sidebarlogin_posted" value="1" />
                                <input type="hidden" name="testcookie" value="1" />
                        </p>

possible patch?

--- sidebar-login.php.orig      2012-02-03 13:45:02.334950685 +0100                                                                                                                                                                                                            
+++ sidebar-login.php   2012-02-03 13:43:17.714993110 +0100                                                                                                                                                                                                                    
@@ -132,7 +132,7 @@                                                                                                                                                                                                                                                            
                // login form                                                                                                                                                                                                                                                  
                if (force_ssl_login() || force_ssl_admin()) $sidebarlogin_post_url = str_replace('http://', 'https://', sidebar_login_current_url()); else $sidebarlogin_post_url = sidebar_login_current_url();                                                               
                ?>                                                                                                                                                                                                                                                             
-               <form method="post" action="<?php echo $sidebarlogin_post_url; ?>">                                                                                                                                                                                            
+               <form method="post" action="<?php bloginfo('url') ?>/wp-login.php">                                                                                                                                                                                            

                        <p><label for="user_login"><?php echo $theusername; ?></label> <input name="log" value="<?php if (isset($_POST['log'])) echo esc_attr(stripslashes($_POST['log'])); ?>" class="text" id="user_login" type="text" /></p>                                
                        <p><label for="user_pass"><?php echo $thepassword; ?></label> <input name="pwd" class="text" id="user_pass" type="password" /></p>