Lucene search
K

WordPress FormBuilder 1.05 Cross Site Scripting

🗓️ 04 Aug 2016 00:00:00Reported by Securify B.V.Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

Cross-Site Scripting in FormBuilder WordPress Plugin allows injection of malicious JavaScript into admin browser

Code
`------------------------------------------------------------------------  
Cross-Site Scripting in FormBuilder WordPress Plugin  
------------------------------------------------------------------------  
Peter Ganzevles, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A Reflected Cross-Site Scripting (XSS) vulnerability has been found in  
the FormBuilder WordPress Plugin. By using this vulnerability an  
attacker can inject malicious JavaScript code into the application,  
which will execute within the browser of any logged-in admin.  
  
------------------------------------------------------------------------  
OVE ID  
------------------------------------------------------------------------  
OVE-20160722-0007  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully tested on FormBuilder version 1.05.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
This issue is resolved in FormBuilder version 1.06.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_formbuilder_wordpress_plugin.html  
  
The FormBuilder plugin is vulnerable to a Reflected Cross Site Scripting attack in the main page. This means that an attacker can craft a link, such as the one below, which will inject malicious javascript in the page of any admin visiting it.  
  
The vulnerability lies in a piece of code in the file html/options_default.inc.php. Here, on line 35-40, the following form class is created:  
  
35: <form class='formSearch' name="formSearch" method="GET" action="<?php echo FB_ADMIN_PLUGIN_PATH; ?>">  
36: <input name='page' type="hidden" value="<?php echo $_GET['page']; ?>" />  
37: <input name='pageNumber' type="hidden" value="<?php echo $_GET['pageNumber']; ?>" />  
38: <input name='formSearch' type="text" size="10" value="<?php echo $formSearch; ?>" />  
39: <input class='searchButton' name='Search' type="submit" value="Search" />  
40: </form>  
This form has two input fields which are populated with data directly from a GET parameter, which is not sanitized beforehand. These are $_GET['pagea] and $_GET['pageNumbera]. While supplying a malicious payload to the $_GET[apageNumbera] parameter causes the application to just throw an error, supplying it to the $_GET[apagea] parameter will cause it to be executed.  
  
Proof of concept  
The following URL causes an alert box to spawn, which, while not dangerous in and of itself, is an easy way to prove that it is vulnerable.  
  
http://<target>/wp-admin/tools.php?page=formbuilder.php&pageNumber=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&formSearch=test&Search=Search  
  
------------------------------------------------------------------------  
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its  
goal is to contribute to the security of popular, widely used OSS  
projects in a fun and educational way.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation