Login
12 Jan 2017

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Super Socializer

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

One of the ways we keep track vulnerabilities in WordPress plugins is by monitoring the WordPress Support Forums for relevant threads. For the second time in a couple months that has brought up a reflected cross-site scripting (XSS) vulnerability discovered by a PCI scanner that exists in the current version of a plugin. This time it is in the plugin Super Socializer.

The results from the scanner just showed the output on the website’s pages caused by the vulnerability, so we still needed to look into the code to see what the underlying cause was.

We first determined that the output shown in the result would occur when Social Login feature is enabled in the plugin.

The cause of the vulnerability is the webpage’s URL is included on the webpage unescaped, which allows malicious code included it the URL to run. The value of the URL is actually escaped in the code and that would prevent this, but then the escaping is undone right afterwards.

In the file super_socializer.php starting at line 491  you have two variables defined that contain the URL of the page you are on, $redirectionUrl and $regRedirectionUrl, that are then echoed:

$redirectionUrl = the_champ_get_login_redirection_url();
$regRedirectionUrl = the_champ_get_login_redirection_url('', true);
?>
<script> var theChampLoadingImgPath = '<?php echo $loadingImagePath ?>'; var theChampAjaxUrl = '<?php echo $theChampAjaxUrl ?>'; var theChampRedirectionUrl = '<?php echo $redirectionUrl ?>'; var theChampRegRedirectionUrl = '<?php echo $regRedirectionUrl ?>'; </script>

The value for those variables comes from the function the_champ_get_login_redirection_url(). In the function on line 451 of super_socializer.php the value of webpage’s URL is escaped using esc_url() when set to value of $url:

438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453

function the_champ_get_login_redirection_url($twitterRedirect = '', $register = false){
	global $theChampLoginOptions, $user_ID;
	if($register){
		$option = 'register';
	}else{
		$option = 'login';
	}
	if(isset($theChampLoginOptions[$option.'_redirection'])){
		if($theChampLoginOptions[$option.'_redirection'] == 'same'){
			$http = the_champ_get_http();
			if($twitterRedirect != ''){
				$url = $twitterRedirect;
			}else{
				$url = html_entity_decode(esc_url($http.$_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]));
			}
			return the_champ_get_valid_url($url);

Unfortunately $url is then run through the function the_champ_get_valid_url() also in super_socializer.php, which runs it through url_decode() and that undoes the escaping:

419
420
421
422
423
424
425
426
427
428
429
430
431
432
433

function the_champ_get_valid_url($url){
	$url = urldecode($url);
	if(html_entity_decode(esc_url(remove_query_arg(array('ss_message', 'SuperSocializerVerified', 'SuperSocializerUnverified'), $url))) == wp_login_url() || $url == home_url().'/wp-login.php?action=register' || $url == home_url().'/wp-login.php?loggedout=true'){ 
		$url = home_url().'/';
	}elseif(isset($_GET['redirect_to'])){
		if(urldecode($_GET['redirect_to']) == admin_url()){
			$url = home_url().'/';
		}elseif(the_champ_validate_url(urldecode($_GET['redirect_to'])) && (strpos(urldecode($_GET['redirect_to']), 'http://') !== false || strpos(urldecode($_GET['redirect_to']), 'https://') !== false)){
			$url = esc_attr($_GET['redirect_to']);
		}else{
			$url = home_url().'/';
		}
	}
	return $url;
}

While the developer said that that they would fix the vulnerability within 24 hours in that thread that was nearly three weeks ago, so we are notifying the Plugin Directory of the issue at this point.

Proof of Concept

The following proof of concept page will cause any available cookies to be shown in an alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

You will need to Enable Social Login on the page /wp-admin/admin.php?page=heateor-social-login.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/?p=</script><script>alert(document.cookie);</script>

No related posts.

Leave a Reply

Your email address will not be published.