Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 6 Oct 2015 09:42:30 +0300
From: Anti Räis <antirais@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-Request for stored WCI (a.k.a XSS) in Visual Form Builder
 2.7.5 - 2.8.4

Hi!

Has there been any movement on this matter or is this CVE request rejected?

Anti

On 14.09.2015 10:49, Anti Räis wrote:
> Greetings,
>
> I've discovered a vulnerability in the following component and would
> like to request CVE-ID for it:
>
> Product:       Visual Form Builder
> (https://wordpress.org/plugins/visual-form-builder/)
> Version:       2.7.5 - 2.8.4 (according to the source code), fixed in 2.8.5
> Product-type:  Wordpress plugin
> Vendor:        http://vfbpro.com/
> Fixed:         2015-09-09, reported 2015-09-06
> Changelog:    
> https://plugins.trac.wordpress.org/changeset?old_path=%2Fvisual-form-builder%2Ftags%2F2.8.4&old=1244830&new_path=%2Fvisual-form-builder%2Ftags%2F2.8.5&new=1244830&sfp_email=&sfph_mail=
>
> Description:
> This plugin is used to create feedback forms. Unauthenticated user can submit 
> malicious code and it is shown to the authenticated administrator in the entries 
> page. Upon viewing the submitted entry, the attackers code executes resulting in 
> web content injection attack (WCI, a.k.a XSS).
>
>
> Vulnerability:
>
> --- start visual-form-builder/includes/class-entries-detail.php ---
> 160 case 'textarea' :
> 161 case 'html' :
> 162         ?>
> 163         <tr valign="top">
> 164                 <th scope="row"><label for="field[<?php echo $obj->id; ?>]"><?php echo stripslashes( $obj->name ); ?></label></th>
> 165                 <td style="background:#eee;border:1px solid #ddd"><?php echo wpautop( stripslashes( wp_specialchars_decode( esc_html( $obj->value ) ) ) ); ?></td>
> 166         </tr>
> 167 <?php
> 168         break;
> 169 default :
> 171         ?>
> 172         <tr valign="top">
> 173                 <th scope="row"><label for="field[<?php echo $obj->id; ?>]"><?php echo stripslashes( $obj->name ); ?></label></th>
> 174                 <td style="background:#eee;border:1px solid #ddd"><?php echo stripslashes( wp_specialchars_decode( esc_html( $obj->value ) ) ); ?></td>
> 175         </tr>
> 176 <?php
> 177         break;
> --- end visual-form-builder/includes/class-entries-detail.php ---
>
> The vulnerability lies in the following PHP code:
> <?php echo stripslashes( wp_specialchars_decode( esc_html( $obj->value ) ) ); ?>
>
> The $obj->value contains user supplied data and is escaped using the esc_html() 
> and then HTML special characters are decoded using wp_specialchars_decode() 
> which essentially neuters the esc_html(). Finally, the stripslashes() is 
> applied, which removes '\' from the given argument.
>
> Poc:
>     * Submit the following value in the form's text field:
>         \<svg/onload=alert(1)  ;
>
>     * authenticated administrator views the entry and executes the code
>         Visual Form Builder -> Entries -> (attacker's entry) -> View
>
> Disclosure timeline:
>     2015-09-06 - discovery, contacted the developers
>     2015-09-08 - sent further details and requested feedback
>     2015-09-09 - new release with the fix was released
>
> All the best,
>
> Anti Räis
>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ