WordPress Quiz And Survey Master 4.7.8 / 4.5.4 XSS / CSRF

Type packetstorm
Reporter Tom Adams
Modified 2016-12-16T00:00:00


Software: Quiz And Survey Master (Formerly Quiz Master Next)  
Version: 4.5.4,4.7.8  
Homepage: https://wordpress.org/plugins/quiz-master-next/  
Advisory report: https://security.dxw.com/advisories/csrfstored-xss-in-quiz-and-survey-master-formerly-quiz-master-next-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/  
CVE: Awaiting assignment  
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)  
CSRF/stored XSS in Quiz And Survey Master (Formerly Quiz Master Next) allows unauthenticated attackers to do almost anything an admin can  
A CSRFA vulnerabilityA allows an unauthenticated attacker to add questions to existing quizzes.  
The question_name parameter is put into a manually-constructed JavaScript objectA and escaped with esc_js() (php/qmn_options_questions_tab.php line 499). If the user (or attacker) creates a new question on a quizA containingA a<script>alert(1)</script>a in the question_name field then aquestion: a<script>alert(1)</script>a,a will get outputA inside the JS object. All good so far.  
However, inA js/admin_question.js on line 205, we see this line, as part of some JS-generated HTML:  
jQuery(\'<textarea/>\').html(questions_list[i].question.replace(/\"/g, \'\"\').replace(/\'/g, \"\'\")).text()+  
This looks okay. Weare creating a TEXTAREA element, setting its HTML to the value of the question_name parameter, and extracting the .text() of it. If we did jQuery(a<textarea/>a).html(a<script>alert(1)</script>a).text() we would get aalert(1)a as the output.  
However, thatas not how inline JavaScript gets parsed. Between a <script> and a </script>, the HTML parser actually parses a<a as a<a not as a<a. So if we doA jQuery(a<textarea/>a).html(a<script>alert(1)</script>a).text() we get a<script>alert(1)</script>a.  
And since a<script>alert(1)</script>a doesnat appear anywhere in the page, Chromeas reflected XSS mitigation measures are not activated. ThusA the stored XSS attack can be executed immediately.  
Proof of concept  
Click the submit button on the following page (in a real attack the form can be submitted without user interaction):  
<form method=\"POST\" action=\"http://localhost/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=1\">  
<input type=\"text\" name=\"question_type\" value=\"0\">  
<input type=\"text\" name=\"question_name\" value=\"<script>alert(1)</script>\">  
<input type=\"text\" name=\"question_submission\" value=\"new_question\">  
<input type=\"text\" name=\"quiz_id\" value=\"1\">  
<input type=\"submit\">  
Upgrade to version 4.7.9 or later.  
Disclosure policy  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
2015-09-14: Discovered  
2016-12-07: Reported to vendor viaA https://quizandsurveymaster.com/contact-us/  
2016-12-07: Requested CVE  
2016-12-13: Vendor replied  
2016-12-14: Vendor reportedA issue fixed in version 4.7.9  
2016-12-15: Advisory published  
Discovered by dxw:  
Tom Adams  
Please visit security.dxw.com for more information.