Hi, thanks for the IP. Was was able to reproduce this and can confirm that this is definitely NOT a false positive.
If you open up the URL (which is now reported in the new version of the plugin) you will find this vulnerable URL (replace example.com with the public hostname of that IP): Vulnerable url: https://example.com/?s=%22%20%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E the XSS gets triggered in your browser (as long as you're not using a tool like NoScript or a Browser with build in XSS protection). The embedded source code on the target page looks like the following (there are four different places in the HTML where the JS is embedded, havn't checked which one is actually triggering the XSS): <h1 class = 'results' ><span>0</span> Results For "" ><script>alert(document.cookie)</script>"</h1> <a href="/?s=" ><script>alert(document.cookie)</script>"> <li class="results product-search-results"><a href="/products/product-search/?product_name=" ><script>alert(document.cookie)</script>&department-product-search=all-products"><span>0</span> Products Found | View </a></li> <input type="text" class="form-control" name="s" placeholder="Search" autocomplete = 'off' ng-model="searchcrit" value="\" ><script>alert(document.cookie)</script>" > Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner On 08.05.2018 17:01, R. Brenton Strickler wrote: > Thanks for your responses. > > I am troubleshooting a 3rd party vendor scanning a client's systems. I > don't have information on the versions they are using, but I can tell > you the information that I do have. > > 1) The scan target is 52.21.123.105 > 2) There's only one theme installed /wp-content/themes/mx-theme/ > 3) There are no other themes in /wp-content/themes/ > 4) The theme in question includes URL parameters in the HTML body, but > the html entities are properly escaped. > > Any assistance is greatly appreciated. > > Thanks again, > > -Brenton > > On Tue, May 8, 2018 at 3:11 AM, Christian Fischer > <christian.fisc...@greenbone.net > <mailto:christian.fisc...@greenbone.net>> wrote: > > Hi *, > > On 08.05.2018 07:17, Antu Sanadi wrote: > > Hi, > > > > On Tuesday 08 May 2018 12:02 AM, R. Brenton Strickler wrote: > >> > >> Hi all, > >> > >> I believe I've stumbled across a bug > >> in gb_wordpress_mult_themes_xss_vuln.nasl while reviewing a scan. > >> > >> http://plugins.openvas.org/nasl.php?oid=802250 > <http://plugins.openvas.org/nasl.php?oid=802250> > >> > >> See this line: > >> if(http_vuln_check(port: port, url: dir + xploits[xploit], pattern: > >> xploit, check_header:TRUE)) > >> > >> I'm thinking it should be as follows: > >> > >> if(http_vuln_check(port: port, url: dir + xploits[xploit], pattern: > >> xploits[xploit], check_header:TRUE)) > >> > > > > No, it's proper(should be xploit). Here we want check only executed > > payload from the response. > > Not payload along with the parameters. > > Exactly. The checks are in a form of an array so on the first iteration > the following data exists in the variables: > > xploit = ><script>alert\(document.cookie\)</script> > xploits[xploit] = > /?s=%22%20%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E > > thus the "http_vuln_check()" is requesting the url from > "xploits[xploit]" and then checks the response of that request against > the regex pattern from "xploit". > > > May be other reason for reporting FP for you. If you provide more > > details about installed > > versions and responses from server, It will be easy to look into this. > > Additionally the question is if this is really a FP or is there any > Theme installed with might be still vulnerable to the same vulnerability > but not described in that plugin? > > The next feed-update (once the NVT reaches Revision r9750) the URL where > the vulnerability was detected should be included in the report output. > This might help you to gather more information on this. > > > Thanks, > > Antu Sanadi > > > > > >> Thanks, > >> > >> -Brenton > > Regards, _______________________________________________ Openvas-plugins mailing list Openvas-plugins@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
