When adding a vulnerability to our data set we actually look in to it to confirm that a vulnerability actual existed, what versions of the plugin had the vulnerability, and that it has been fully fixed. Recently while looking over changes made in version 0.9.9 of the plugin Chained Quiz, which was listed as having “Fixed various XSS issues”, we noticed that one of the cross-site scripting (XSS) issues was only partially resolved.
Several of the changes made sanitized title fields for various pieces of the plugin’s quizzes. By default only Administrator-level user have access to the pages with those fields and for those users it wouldn’t have really been a vulnerability for the fields to not be sanitized since that level of user normally have the unfiltered_html capability, which allows them to do the equivalent of cross-site scripting. The plugin does provides the option to make those pages as well as the Social Sharing page accessible to lower level users, which would not have that capability, which would make this a vulnerability.
In looking over the relevant files what we noticed was that the rest of the text input is not being sanitized, so the vulnerability still exists on those pages.
An example of that is when creating a new question, you can see that in version 0.9.9 the value “$vars[‘title’]” is sanitized but the other text inputs “$vars[‘question’]” and “$vars[‘qtype’]” are not (the database field for “$vars[‘qtype’]” is limited to 20 characters making it difficult to use it for malicious code) :
25 26 27 28 29
$vars['title'] = sanitize_text_field($vars['title']); $result = $wpdb->query($wpdb->prepare("UPDATE ".CHAINED_QUESTIONS." SET question=%s, qtype=%s, title=%s, autocontinue=%d WHERE id=%d", $vars['question'], $vars['qtype'], $vars['title'], @$vars['autocontinue'], $id));
The text inputs on Social Sharing page are also not sanitized or escaped.
We contacted the developer about the issue and seeing as they had just fixed part of the issue and another related vulnerability, we figured they would be receptive (that is usually the case in this type of situation). Instead we got a very different response. It began:
The contents of the questions should not be filtered: it has to allow HTML and scripts if the site managers want to use them.
All these issues are “Self-XSS” that we are not interested to hear about: no one has any interest to hack their own site or give management access to people they don’t trust.
As far as we can tell self-XSS actually refers to a social engineering attack, not a vulnerability, which these are.
In our reply to that we explained that unless users have the unfiltered_html capability they are not allowed to use unfiltered HTML, so they needed to make sure users without the capability had their input sanitized. We haven’t gotten any response in the week since we sent that reply and the vulnerability hasn’t been resolved.
Proof of Concept
The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=chainedquiz_social_sharing, when logged in to WordPress with an account that has access to the page.
- As an Administrator access /wp-admin/admin.php?page=chainedquiz_options and set it so that Subscribers can manage quizzes.
- Log in as a Subscriber.
- Visit /wp-admin/admin.php?page=chainedquiz_social_sharing.
- In the “Your Facebook App ID” field enter ‘”><script>alert(document.cookie);</script>’ (without the single quotes around it).
- Click “Save All Settings”.
- January 4, 2017 – Developer notified.
- January 5, 2017 – Developer responds.
- January 12, 2017 – WordPress.org Plugin Directory notified.
- January 12, 2017 – Removed from WordPress.org Plugin Directory.
- January 12, 2017 – Version 1.0 submitted to WordPress.org Plugin Directory, which fixes issue.