Latest Blogs

News
One of our regular tasks at TemPlaza is updating products and giving our customers the latest technology to run their website smoothly. That's why, accompanying with introducing new features, we often fix all known issues. Today, we are excited to in...
244 Hits
News
Hello beloved customers,Good news for today is that Meetup Conference & Event WordPress Theme version 1.7.5 has already released and you can download it to update your website. In this new version, we have included some minor fixes as well as the...
261 Hits
News
Hello guys, We are so excited to announce that the Aventura Travel & Tour Booking System WordPress Theme Version 1.9.4 has already been available for download on Themeforest. In this new version, we have added some minor fixes and updat...
250 Hits
Articles
If you're in the need of building a new website for your car dealership firm or just redesigning the current one about car service to enhance a professional-looking, attractive and modern performance, you have already landed the right place. Bui...
344 Hits
News
We're happy to inform you of a new version of Musika - Music Bands, Festivals, and Events Joomla Template released. If you're emerging as a talented musician or a well-known music band, owning an online website is a great way to target a mass audienc...
353 Hits
Report: XSS vulnerability in the prettyPhoto jQuery library

Report: XSS vulnerability in the prettyPhoto jQuery library

Dear beloved customers, today we’re going to give you an important alert about a serious vulnerability that calls XSS (Cross Site Scripting) appearing in prettyPhoto - a plugin for creating slides of images, effects, gallery in Joomla and WordPress webpages.

XSS (XSS) is one of the most common application layer hacking techniques. XSS enables attackers to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data.

How is XSS doing in prettyPhoto? Let come along with us to figure it out.

Using a dork: “inurl: / wp-content / plugins / prettyPhoto” to find out the vulnerable websites.

xss1

As a result, there are 7300 WordPress sites. After searching for the source code version and looking at the javascript or CSS files, both 3.1.4 and 3.1.5 of prettyPhoto allow the execution code.

xss2

Next, “a document.write” is used to define XSS:

“URL/#prettyPhoto[gallery]/1, / ”

We can see that XSS causes dangerous problems: Denial of Service, redirects, cookies theft, alerts, html code injection...

Then we use “URL / # prettyPhoto [gallery] / 1, /” to get the second XSS, and this is the first serious stage a robbery of cookies, making as follows:

“URL / # prettyPhoto [gallery] / 1, /”

"As a hacking tool, attackers can formulate and distribute a custom-crafted CSS URL by using a browser to test the dynamic website response. The attackers also need to know about some HTML, JavaScript and a dynamic language to build a URL which is not suspicious-looking to attack a XSS vulnerable website." - a blog quote. To know clearly about XSS, you can view a blog at this link

Because of the danger from XSS, WordPress themes, Joomla templates, or other extensions, plugins, documentation which are in version 3.1.5 of prettyPhoto are required to update version 3.1.6 as soon as possible. The vulnerability is fixed in prettyPhoto version 3.1.6.

By updating the version 3.1.6, it will help you to protect your website and you don’t have to worry about the dangers anymore. And just share this post to let other people know!

REFERENCES:

http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html

http://www.acunetix.com/blog/articles/preventing-xss-attacks/

Thanks all guy for reading the article!

How to Get Support from TemPlaza
Team Up: TemPlaza and JoomlaShine

By accepting you will be accessing a service provided by a third-party external to https://ns2.templaza.com/