Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 31 Jul 2016 14:44:19 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting four WordPress Plugins & one Theme

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.

------------------------------------------------------------------------
Cross-Site Scripting in Code Snippets WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting (XSS) vulnerability has been found in
the Code Snippets WordPress Plugin. By using this vulnerability an
attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any logged-in admin who views
the link in the proof of concept below.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0006

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Code Snippets [2] version 2.6.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There issue is fixed in version 2.7.0 [3]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Code Snippets [2] is an easy, clean and simple way to add code snippets
to your site.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted web
sites. XSS attacks occur when an attacker uses a web application to send
malicious code, generally in the form of a browser side script, to a
different end user. Flaws that allow these attacks to succeed are quite
widespread and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding it.
Reflected XSS occurs when user input is immediately returned by a web
application in an error message, search result, or any other response
that includes some or all of the input provided by the user as part of
the request

"tag" field does not validate <script> tags and does not perform output
encoding.

code-snippets/php/class-list-table.php:

if ( ! empty( $_GET['tag'] ) ) {
				echo sprintf( __( ' in tag &#8220;%s&#8221;', 'code-snippets' ),
$_GET['tag'] );
			}

An attacker needs to lure a logged-in admin to follow the link in the
proof of concept below.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<targetsite>/wp-admin/admin.php?page=snippets&tag=asdasd%5C%5C%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_code_snippets_wordpress_plugin.html
[2] https://wordpress.org/plugins/code-snippets/
[3] https://nl.wordpress.org/plugins/code-snippets/changelog/
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in ColorWay WordPress Theme
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Multiple Cross-Site Scripting vulnerabilities were found in the ColorWay
WordPress Theme. These issues allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0024

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on ColorWay [2] WordPress Theme
version 3.4.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in ColorWay [2] WordPress Theme version 3.4.2.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Colorway [2] is simple, elegant, responsive WordPress Theme built by
InkThemes.com. Multiple Cross-Site Scripting vulnerabilities were found
in the ColorWay WordPress Theme. These issues allows an attacker to
perform a wide variety of actions, such as stealing users' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a victim into opening
a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
These issues exists due to the lack of output encoding of user input. An
example can be seen in the file contact.php. Several POST parameters are
using in the output without applying proper encoding.

<form action="<?php the_permalink(); ?>" id="contactForm" method="post">
	<ul class="contactform">
		<li>
			<label for="contactName"><?php _e('Name:', 'colorway'); ?></label>
			<input type="text" name="contactName" id="contactName" value="<?php
if (isset($_POST['contactName'])) echo $_POST['contactName']; ?>"
class="required requiredField" />
			<?php if ($nameError != '') { ?>
				<span class="error"> <?php echo $nameError; ?> </span>
			<?php } ?>
		</li>
		<li>
			<label for="email"><?php _e('Email', 'colorway'); ?></label>
			<input type="text" name="email" id="email" value="<?php if
(isset($_POST['email'])) echo $_POST['email']; ?>" class="required
requiredField email" />
			<?php if ($emailError != '') { ?>
				<span class="error"> <?php echo $emailError; ?> </span>
			<?php } ?>
		</li>
		<li>
			<label for="commentsText"><?php _e('Message:', 'colorway');
?></label>
			<textarea name="comments" id="commentsText" rows="20" cols="30"
class="required requiredField"><?php
				if (isset($_POST['comments'])) {
					if (function_exists('stripslashes')) {
						echo stripslashes($_POST['comments']);
					} else {
						echo $_POST['comments'];
					}
				}
			?>
			</textarea>
			<?php if ($commentError != '') { ?>
				<span class="error"> <?php echo $commentError; ?> </span>
			<?php } ?>
		</li>
		<li>
			<input type="submit" value="<?php _e('Send Email', 'colorway'); ?>"/>
		</li>
	</ul>
	<input type="hidden" name="submitted" id="submitted" value="true" />
</form>

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form action="http://<target>/contact/" method="POST">
			<input type="hidden" name="contactName"
value="&quot;><script>alert(document.cookie);</script>" />
			<input type="hidden" name="email" value="" />
			<input type="hidden" name="comments" value="                         
                      " />
			<input type="hidden" name="submitted" value="true" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_colorway_wordpress_theme.html
[2] https://wordpress.org/themes/colorway/
------------------------------------------------------------------------
Insert PHP WordPress Plugin allows authenticated user to execute
arbitrary PHP
------------------------------------------------------------------------
Marcel Vermeulen <vermeulen.mc.at.gmail.com> & Ed van der Vlies
<ecvdvlies.at.gmail.com>, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the Insert PHP WordPress Plugin allows an
authenticated user with Contributor role (or higher) to run arbitrary
PHP code. Consequently, this effectively disables any security controls
implemented in WordPress.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Insert PHP [2] WordPress Plugin
version 1.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available. The author of the Insert PHP
WordPress Plugin has indicated that this issue will not be
resolved/mitigated.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Insert PHP [2] WordPress Plugin allows PHP code inserted into
WordPress posts and pages. The plugin exposes the insert_php shortcode,
which is used to insert and run the PHP code in a post or page. A
Contributor or higher is allowed to use this shortcode, this effectively
disables any security controls implemented in WordPress.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
An authenticated user with Contributor role (or higher), can make a new
post and execute any command on the server. Since the privileges of a
Contributor are normally restricted, using the insert_php shortcode
effectively disables any security controls implemented in WordPress.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
Create a new post and add the following shortcode:

[insert_php]eval(base64_decode('c3lzdGVtKCdjYXQgL2V0Yy9wYXNzd2QnKTs='));[/insert_php]
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/insert_php_wordpress_plugin_allows_authenticated_user_to_execute_arbitrary_php.html
[2] https://wordpress.org/plugins/insert-php/
------------------------------------------------------------------------
Multiple vulnerabilities in All In One WP Security & Firewall plugin
login CAPTCHA
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The login CAPTCHA provided by the All In One WP Security & Firewall
plugin can be circumvented in multiple ways, allowing an attacker to
automate login attempts when the CAPTCHA is enabled.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160719-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on the All In One WP Security &
Firewall [2] WordPress Plugin version 4.1.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The first two findings are resolved in the All In One WP Security &
Firewall plugin version 4.1.3 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
All In One WP Security & Firewall [2] is a comprehensive, user-friendly,
all in one security and firewall plugin for WordPress. One of its
options is a login CAPTCHA to prevent automated login attempts. Multiple
vulnerabilities exist, allowing an attacker to circumvent the CAPTCHA
mechanism.

------------------------------------------------------------------------
Details finding 1: Complete bypass of CAPTCHA answer validation
------------------------------------------------------------------------
When the login CAPTCHA is enabled, the plugin will check if the user
provided a CAPTCHA answer. If so, the answer will be checked for
validity. However, the code does not account for the case where no
CAPTCHA answer is provided. If no answer is sent, the login will
continue as normal, even though the CAPTCHA setting is enabled.

The vulnerable code is located in wp-security-user-login.php:
//Check if captcha enabled
if ($aio_wp_security->configs->get_value('aiowps_enable_login_captcha')
== '1')
{
    if (array_key_exists('aiowps-captcha-answer', $_POST)) //If the
login form with captcha was submitted then do some processing
    {
    	[.. captcha logic ..]
    }
    [.. missing else statement ..]
}

------------------------------------------------------------------------
Details finding 2: CAPTCHA answer forgery
------------------------------------------------------------------------

The CAPTCHA answers leak the secret key used to create valid answers. By
extracting the secret keys it's possible to forge valid CAPTCHA answers.

The vulnerable code is located at /classes/wp-security-captcha.php:
//Let's encode correct answer
$captcha_secret_string =
$aio_wp_security->configs->get_value('aiowps_captcha_secret_key');
$current_time = time();
$enc_result =
base64_encode($current_time.$captcha_secret_string.$result);
$equation_string .= '<input type="hidden"
name="aiowps-captcha-string-info" id="aiowps-captcha-string-info"
value="'.$enc_result.'" />';
$equation_string .= '<input type="hidden"
name="aiowps-captcha-temp-string" id="aiowps-captcha-temp-string"
value="'.$current_time.'" />';
$equation_string .= '<input type="text" size="2"
id="aiowps-captcha-answer" name="aiowps-captcha-answer" value="" />';
return $equation_string;

The CAPTCHA form adds three fields to the login form: 
aiowps-captcha-string-info - A timestamp, a secret CAPTCHA key and the
valid answer, base64 encoded
aiowps-captcha-temp-string - The timestamp
aiowps-captcha-answer - Answer to be filled in by the user
For validating the correct answer, aiowps-captcha-string-info is checked
against the timestamp provided by the user, combined with the answer
provided by the user and the secret CAPTCHA key (base64 encoded).

By decoding the value for aiowps-captcha-string-info, a user can extract
the secret key and create valid answers.

------------------------------------------------------------------------
Details finding 3: CAPTCHA answer replay attack
------------------------------------------------------------------------

The CAPTCHA mechanism (which is described above) is created in such a
way that the CAPTCHA answer never expires. A valid answer can be
re-used, allowing automated login attempts.

------------------------------------------------------------------------
Details finding 4: Easy automatable CAPTCHA solving
------------------------------------------------------------------------

Math questions created by the login CAPTCHA are not obfuscated in any
way. The math questions (such as "five + 2") can easily be parsed by a
program to generate valid answers.

------------------------------------------------------------------------
Proofs of concepts
------------------------------------------------------------------------
1. Enable the login CAPTCHA and remove the aiowps-captcha-answer
parameter from the POST request. The login will succeed as normal.

2. Base64 decode the hidden field aiowps-captcha-string-info to obtain
the CAPTCHA secret and a valid answer.

3. Send two login attempt with the same (valid)
aiowps-captcha-string-info, aiowps-captcha-temp-string and
aiowps-captcha-answer parameters. The login attempt will be accepted.

4. A programmer can use the array from the number_word_mapping method to
evaluate the questions created by the CAPTCHA.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/multiple_vulnerabilities_in_all_in_one_wp_security___firewall_plugin_login_captcha.html
[2] https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
[3]
https://downloads.wordpress.org/plugin/all-in-one-wp-security-and-firewall.zip
------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Easy Testimonials WordPress
Plugin
------------------------------------------------------------------------
Bente Schopman, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Multiple stored Cross-Site Scripting vulnerabilities were found in the
Easy Testimonials WordPress Plugin. These issues can be exploited by an
authenticated Contributor (or higher). It allows an attacker to perform
a wide variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0010

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Easy Testimonials [2] WordPress
Plugin version 1.36.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Easy Testimonials [3] WordPress Plugin version
1.37.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Easy Testimonials [2] is an easy-to-use plugin that allows users to add
Testimonials to the sidebar, as a widget, or to embed testimonials into
a Page or Post using the shortcode. Multiple stored Cross-Site Scripting
vulnerabilities were found in the Easy Testimonials WordPress Plugin.
These issues can be exploited by an authenticated Contributor (or
higher).

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This can be exploited by users with a role lower than the Editor (which
has the unfiltered_html privileges) to add scripts and HTML when
creating or updating a testimonial. This is possible by the following
fields:

- Client Name.
- Position/Web Address/Other.
- Location Reviewed/Product Reviewed/Item Reviewed.

The vulnerability allows an attacker to perform a wide variety of
actions, such as stealing users' session tokens, or performing arbitrary
actions on their behalf. In order to exploit this issue, the attacker
has to lure/force a victim into opening a malicious website.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_easy_testimonials_wordpress_plugin.html
[2] https://wordpress.org/plugins/easy-testimonials/
[3] https://downloads.wordpress.org/plugin/easy-testimonials.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ