17 Feb

Reflected Cross-Site Scripting (XSS) Vulnerability in Time Sheets

We recently found that the Time Sheets plugin contains a reflected cross-site scripting (XSS) vulnerability on one the plugin’s admin pages, Old Timesheets.

As of version 1.3.1, in the file /entry.php the GET inputs “start_date”, “end_date”, and “include_completed” were echo’d out with being sanitized or escaped to prevent malicious code from being placed on the page:

$start_date = $_GET['start_date'];
$end_date = $_GET['end_date'];

if ($start_date=='') {
 $start_date = date('Y-m-d', strtotime("-1 Year"));
}
if ($end_date=='') {
 $end_date = date('Y-m-d', strtotime("+1 Day"));
}

echo '<form method="get">';
echo "Enter Range To Search: ";
echo "<input type='text' name='start_date' size='10' value='{$start_date}'>";
echo " to ";
echo "<input type='text' name='end_date' size='10' value='{$end_date}'>";
echo "<br><input type='checkbox' name='include_completed' value='checked' {$_GET['include_completed']}> Include Completed Timesheets";

We notified the developer of the issue, but we haven’t heard back from them. Subsequent to that version 1.4.0 was released, which sanitizes two of those GET inputs,  “start_date” and “end_date”, by running them through a couple of the plugin’s functions:

772
773
$start_date = $common-&gt;f_date($common-&gt;clean_from_db($_GET['start_date']));
$end_date = $common-&gt;f_date($common-&gt;clean_from_db($_GET['end_date']));

No change was made related to third GET input “include_completed”, so the change with the others could be unrelated to our notifying the developer of the issue.

Proof of Concept

The following proof of concept will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?start_date=2017-02-02&end_date=2017-02-03&submit=Search&page=search_timesheet&include_completed='><script>alert(document.cookie);</script>

Timeline

  • February 2, 2017: Developer notified.
  • February 17, 2017 – WordPress.org Plugin Directory notified.
  • February 17, 2017 – Plugin removed from WordPress.org Plugin Directory.
02 Feb

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Watu

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

23 Jan

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in moreAds SE

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

18 Jan

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Event Notifier

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

17 Jan

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Stop User Enumeration

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

17 Jan

Reflected Cross-Site Scripting (XSS) Vulnerability in WangGuard

We recently introduced a new feature where we do security reviews of plugins that are selected by our customers. The first review was of WangGuard. The most serious issue we found in that review is a reflected cross-site scripting (XSS) vulnerability.

In the file /wangguard-user-info.php the value of the GET input “userIP” is set as the value of the variable $userIP without any sanitization:

11
$userIP = $_GET["userIP"];

That value is then printed without it being escaped:

33
34
printf( __('User IP: %s <br />'), $userIP);
printf( __('User nicename: %s <br />'), $user_info->user_nicename);

Proof of Concept

The following proof of concept will cause any available cookies to be shown in an alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=wangguard_users_info&userIP=<script>alert(document.cookie);</script>

Timeline

  • January 2, 2017 – Developer notified.
  • January 17, 2017 – WordPress.org Plugin Directory notified.
  • January 18, 2017 – Version 1.7.3 released, which fixes vulnerability.
12 Jan

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Super Socializer

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

28 Nov

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Whois Domain

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

12 Oct

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Editor

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

13 Sep

Reflected Cross-Site Scripting (XSS) Vulnerability in Quotes Collection

One of the things we do to provide the best data on vulnerabilities in WordPress plugins is to monitor the wordpress.org Support Forum for threads related to those. Yesterday we ran across a thread asking if the Quotes Collection plugin that had been removed from the Plugin Directory, had a security vulnerability. The people running the Plugin Directory are choosing to keep people in the dark about removed plugins with security vulnerabilities, so people are left wondering like this. If you use our service though many of the vulnerabilities that caused plugins to be removed are listed, you can also use our No Longer in Directory plugin to see if plugins you use have been removed from the Plugin Directory, whether for a security issue or another reason.

After running across the thread we attempted to see if we could find any vulnerabilities in the most recent version of the plugin. While going through our standard checks we found that the plugin has a reflected cross-site scripting (XSS) vulnerability. That isn’t a major threat, since we don’t see much evidence of that type of vulnerability being targeted. One reason for that is that all the major web browsers other than Firefox has XSS filtering, which an attacker would need to figure a way to evade to exploit the vulnerability in the other web browsers.

The reflected cross-site scripting occurs on the page /wp-admin/admin.php?page=quotes-collection, due to the line 221 /inc/class-quotes-collection-admin.php:

<input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />

Once we saw that it seemed likely that someone else had already identified that issue, as it was the same type issue as several identified by Yorick Koster as part of the Summer of Pwnage. Here is how he described the issue in one of his advisories:

Normally, the page URL parameter is validated by WordPress, which prevents Cross-Site Scripting. However in this case the value of page is obtained from $_REQUEST, not from $_GET. This allows for parameter pollution where the attacker puts a benign page value in the URL and simultaneously submits a malicious page value as POST parameter.

A listing that seems to match the vulnerability is on the list of vulnerabilities discovered during that event, but without any details for us to link to for out data:

Reflected XSS in Quotes plugin (CSRF against admin)

July 2016 | Installs: 20K+ | Yorick Koster | OVE-20160712-0015 | Status: reporting

Proof of Concept

The following proof of concept will cause any available cookies to shown in alert box when logged in to WordPress. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=quotes-collection" method="POST">
<input type="hidden" name="page" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>