WordPress Quiz And Survey Master 4.7.8 / 4.5.4 XSS / CSRF

2016-12-16T00:00:00
ID PACKETSTORM:140183
Type packetstorm
Reporter Tom Adams
Modified 2016-12-16T00:00:00

Description

                                        
                                            `Details  
================  
Software: Quiz And Survey Master (Formerly Quiz Master Next)  
Version: 4.5.4,4.7.8  
Homepage: https://wordpress.org/plugins/quiz-master-next/  
Advisory report: https://security.dxw.com/advisories/csrfstored-xss-in-quiz-and-survey-master-formerly-quiz-master-next-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/  
CVE: Awaiting assignment  
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)  
  
Description  
================  
CSRF/stored XSS in Quiz And Survey Master (Formerly Quiz Master Next) allows unauthenticated attackers to do almost anything an admin can  
  
Vulnerability  
================  
A CSRFA vulnerabilityA allows an unauthenticated attacker to add questions to existing quizzes.  
The question_name parameter is put into a manually-constructed JavaScript objectA and escaped with esc_js() (php/qmn_options_questions_tab.php line 499). If the user (or attacker) creates a new question on a quizA containingA a<script>alert(1)</script>a in the question_name field then aquestion: a<script>alert(1)</script>a,a will get outputA inside the JS object. All good so far.  
However, inA js/admin_question.js on line 205, we see this line, as part of some JS-generated HTML:  
jQuery(\'<textarea/>\').html(questions_list[i].question.replace(/\"/g, \'\"\').replace(/\'/g, \"\'\")).text()+  
This looks okay. Weare creating a TEXTAREA element, setting its HTML to the value of the question_name parameter, and extracting the .text() of it. If we did jQuery(a<textarea/>a).html(a<script>alert(1)</script>a).text() we would get aalert(1)a as the output.  
However, thatas not how inline JavaScript gets parsed. Between a <script> and a </script>, the HTML parser actually parses a<a as a<a not as a<a. So if we doA jQuery(a<textarea/>a).html(a<script>alert(1)</script>a).text() we get a<script>alert(1)</script>a.  
And since a<script>alert(1)</script>a doesnat appear anywhere in the page, Chromeas reflected XSS mitigation measures are not activated. ThusA the stored XSS attack can be executed immediately.  
  
Proof of concept  
================  
Click the submit button on the following page (in a real attack the form can be submitted without user interaction):  
<form method=\"POST\" action=\"http://localhost/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=1\">  
<input type=\"text\" name=\"question_type\" value=\"0\">  
<input type=\"text\" name=\"question_name\" value=\"<script>alert(1)</script>\">  
<input type=\"text\" name=\"question_submission\" value=\"new_question\">  
<input type=\"text\" name=\"quiz_id\" value=\"1\">  
<input type=\"submit\">  
</form>  
  
Mitigations  
================  
Upgrade to version 4.7.9 or later.  
  
Disclosure policy  
================  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
  
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.  
  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
  
Timeline  
================  
  
2015-09-14: Discovered  
2016-12-07: Reported to vendor viaA https://quizandsurveymaster.com/contact-us/  
2016-12-07: Requested CVE  
2016-12-13: Vendor replied  
2016-12-14: Vendor reportedA issue fixed in version 4.7.9  
2016-12-15: Advisory published  
  
  
  
Discovered by dxw:  
================  
Tom Adams  
Please visit security.dxw.com for more information.  
  
  
  
  
`