Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 8 Nov 2016 11:22:01 +0100
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting five WordPress Plugins (XSS &
 object injection)

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.





------------------------------------------------------------------------
Cross-Site Scripting in Calendar WordPress Plugin
------------------------------------------------------------------------
Remco Vermeulen, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Calendar WordPress
Plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160725-0008

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Calendar [2] WordPress Plugin
version 1.3.7.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Calendar [3] version 1.3.8.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Calendar [2] WordPress Plugin allows users to manage events and
appointments and display them to the world. A Cross-Site Scripting
vulnerability was found in the Calendar WordPress Plugin. This issue
allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
For any page containing a calendar the GET request parameters are
appended as hidden inputs when the calendar is configured to have a date
switcher. The input isn't properly sanitised and allows an attacker to
add attributes to the input, including events.

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website. In
addition, the calendar must configured to have a date switcher. By
default this is disabled.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
Given the post hello-world, which has a calendar, visit the page with
the following URL:

http://<target>/2016/06/22/hello-world/?foo=whoeiii\%22%20accesskey=x%20onclick=alert(1);//

The key combination CTRL + ALT + x triggers the onclick event.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_calendar_wordpress_plugin.html
[2] https://wordpress.org/plugins/calendar/
[3] https://downloads.wordpress.org/plugin/calendar.1.3.8.zip/
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Caldera Forms WordPress Plugin
------------------------------------------------------------------------
Jurgen Kloosterman, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Caldera Forms
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160720-0007

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Caldera Forms  [2] WordPress
Plugin version 1.3.5.3

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The Caldera Forms developers issued a fix in Caldera Forms 1.4.2 [3]
which adds nonces for multiple functions (including create_form()),
therefore effectively solving this issue.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Caldera Forms
WordPress Plugin, as the source code such as the creating new forms does
not include an anti-Cross-Site Request Forgery token.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
A Stored Cross-Site Scripting vulnerability exists in the Caldera Forms
WordPress plugin. This vulnerability allows an attacker to perform any
action with the privileges of the target user. The affected code is not
protected with an anti-Cross-Site Request Forgery token. Consequently,
it can be exploited by luring the target user into clicking a specially
crafted link or visiting a malicious website (or advertisement).

The vulnerability exists in the file caldera-forms/classes/admin.php and
is located in the function create_form().

1417: echo $newform['ID'];

The vulnerability can be exploited using a specially crafted HTTP POST
request to obtain the CSRF token and execute Javascript. In order to
exploit this issue the target user must have an active session in the
Administrator control panel and visit a malicious site (or
advertisement).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<!DOCTYPE html>
<html>
	<body>
		<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
			<div>
				<input name="before"  value="serialize_modal_form"/>
				<input name="data"
value="name=%3Cscript%3Ealert(1)%3C%2Fscript%3E"/>
				<input name="template" value="0"/>
				<input name="callback" value="new_form_redirect"/>
				<input name="modalAutoclose" value="new_form"/>
				<input name="action"  value="create_form"/>
				<button type="submit">send</button>
			</div>
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_caldera_forms_wordpress_plugin.html
[2] https://wordpress.org/plugins/caldera-forms/
[3] https://nl.wordpress.org/plugins/caldera-forms/changelog/
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Quotes Collection WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Quotes Collection
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0015

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
Plugin Vulnerabilities [2] - Reflected Cross-Site Scripting (XSS)
Vulnerability in Quotes Collection

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Quotes Collection [3] WordPress
Plugin version 2.0.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Quotes Collection [3] WordPress Plugin with Ajax powered Random
Quote sidebar widget helps you collect and display your favourite quotes
in your WordPress website. A Cross-Site Scripting vulnerability was
found in the Quotes Collection WordPress Plugin. This issue allows an
attacker to perform a wide variety of actions, such as stealing
Administrators' session tokens, or performing arbitrary actions on their
behalf. In order to exploit this issue, the attacker has to lure/force a
logged on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file class-quotes-collection-admin.php and is
caused by the lack of output encoding on the page request parameter. The
vulnerable code is listed below.

<form id="quotescollection" method="get">
	<input type="hidden" name="page" value="<?php echo $_REQUEST['page'];
?>" />
	<div class="list-header">
		<?php echo $list_meta; ?>
		<?php $quotes_list_table->search_box( __('Search',
'quotes-collection'), 'quotescollection'); ?>
	</div>
	<?php $quotes_list_table->display(); ?>
</form>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter. 


------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=quotes-collection"
method="POST">
			<input type="hidden" name="page"
value="&quot;<script>alert(document.cookie);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_quotes_collection_wordpress_plugin.html
[2]
https://www.pluginvulnerabilities.com/2016/09/13/reflected-cross-site-scripting-xss-vulnerability-in-quotes-collection/
[3] https://wordpress.org/plugins/quotes-collection/
------------------------------------------------------------------------
Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress
Plugin
------------------------------------------------------------------------
Burak Kelebek, October 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting (XSS) vulnerability has been found in the
WassUp Real Time Analytics WordPress Plugin. By using this vulnerability
an attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any user who views the Activity
Log, in general WP admin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160717-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WassUp Real Time Analytics [2]
version 1.9.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in version 1.9.1 [3]. 

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WassUp Real Time Analytics [2] WordPress plugin can be used to
analyze visitors' traffic with real-time statistics.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the Wassup
WordPress plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. Particularly interesting
about this issue is that an anonymous user can simply store his XSS
payload in the Admin dashboard by just visiting the public site with a
malformed link.

The malicious script code can be sent by anyone visiting the website
(unauthenticated). The malicious code is then executed in the admin
panel under section 'Current Visitors' of the Wassup plugin page. 

The issue exists in the file wassup.php and is caused by the lack of
output encoding on the request-uri parameter. The vulnerable code is
listed below.

</span><span class="request-uri"><?php echo wassupURI::url_link

and in the file wassup.class.php:

else $urllink='<a href="'.self::add_siteurl("$urlrequested").'"
target="_BLANK">'.stringShortener("$urlrequested",$chars).'</a>';
return $urllink;

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
1. Log in as admin and empty the log data of Wassup for a clean test ->
http://<targetsite>/wp-admin/admin.php?page=wassup-options -> Manage
Files and Data -> Empty table

2. Open Burp Suite and sent the following requests one after another:

GET /test HTTP/1.1
Host: <targetsite>

GET
///--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(70,70,70))</SCRIPT>
HTTP/1.1
Host: <targetsite>

3. Open the Current Visitors Online page as an admin:
http://<targetsite>/wp-admin/admin.php?page=wassup-online

Note: Your request should be detected as a Spider/Bot by the Wassup
plugin. One way to do this is by sending the requests above through Burp
Suite.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wassup_real_time_analytics_wordpress_plugin.html
[2] https://wordpress.org/plugins/wassup/
[3] https://wordpress.org/plugins/wassup/changelog/
------------------------------------------------------------------------
YITH WooCommerce Compare WordPress Plugin unauthenticated PHP Object
injection vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the YITH WooCommerce
Compare WordPress Plugin, which can be used by an unauthenticated user
to instantiate arbitrary PHP Objects. Using this vulnerability it is
possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160803-0006

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the YITH WooCommerce Compare [2]
WordPress Plugin version 2.0.9.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in YITH WooCommerce Compare [3] version 2.1.0.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The YITH WooCommerce Compare [2] WordPress Plugin is an extension of
WooCommerce plugin that allow your users to compare some products of
your shop. A PHP Object injection [4] vulnerability was found in the
YITH WooCommerce Compare WordPress Plugin, which can be used by an
unauthenticated user to instantiate arbitrary PHP Objects.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue is possible due to an unsafe call to unserialize() in the
__construct() method. The input is taken directly from the
yith_woocompare_list cookie as can be seen in the following code
fragment:

includes/class.yith-woocompare-frontend.php:

/**
	 * Constructor
	 *
	 * @return YITH_Woocompare_Frontend
	 * @since 1.0.0
	 */
	public function __construct() {
	
		// set coookiename
		if ( is_multisite() ) $this->cookie_name .= '_' .
get_current_blog_id();
	
		// populate the list of products
		$this->products_list = isset( $_COOKIE[ $this->cookie_name ] ) ?
json_decode( maybe_unserialize( $_COOKIE[ $this->cookie_name ] ) ) :
array();

It has been confirmed that this issues can be used to execute arbitrary
PHP code.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/yith_woocommerce_compare_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html
[2] https://wordpress.org/plugins/yith-woocommerce-compare/
[3]
https://downloads.wordpress.org/plugin/yith-woocommerce-compare.2.1.0.zip
[4] https://www.owasp.org/index.php/PHP_Object_Injection

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ