oss-sec mailing list archives

WordPress audio playlist functionality is affected by Cross-Site Scripting

From: Summer of Pwnage <lists () securify nl>
Date: Tue, 7 Mar 2017 00:04:44 +0100

------------------------------------------------------------------------
WordPress audio playlist functionality is affected by Cross-Site
Scripting
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Two Cross-Site Scripting vulnerabilities exists in the playlist
functionality of WordPress. These issues can be exploited by convincing
an Editor or Administrator into uploading a malicious MP3 file. Once
uploaded the issues can be triggered by a Contributor or higher using
the playlist shortcode.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160717-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the WordPress [2] version 4.5.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
These issues are resolved in WordPress version 4.7.3. [3]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WordPress is web software you can use to create a website, blog, or
app. Two Cross-Site Scripting vulnerabilities exists in the playlist
functionality of WordPress. These issues can be exploited by convincing
an Editor or Administrator into uploading a malicious MP3 file. Once
uploaded the issues can be triggered by a Contributor or higher using
the playlist shortcode.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
It was discovered that meta information (ID3) stored in audio files are
not properly sanitized in case they are uploaded by a user with the
unfiltered_html (generally an Editor or Administrator).

The first Cross-Site Scripting vulnerability exists in the function that
processes the playlist shortcode, which is done in the
wp_playlist_shortcode() method (/wp-includes/media.php). This method
creates a <noscript> block for users with JavaScript disabled.

https://www.securify.nl/advisory/SFY20160742/noscript_unfiltered_html.png

The method wp_get_attachment_link() does not perform any output encoding
on the link text. Meta information from the audio file is used in the
link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site
Scripting.

The second Cross-Site Scripting issue is DOM-based and exists in the
JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or
/wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView
object is used to render a audio player client side. The method
renderTracks() uses the meta information from the audio file in a call
to jQuery's append() method. No output encoding is used on the meta
information, resulting in a Cross-Site Scripting vulnerability.

https://www.securify.nl/advisory/SFY20160742/renderTracks-dom-based_xss.png

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following MP3 file can be used to reproduce this issue:

https://www.securify.nl/advisory/SFY20160742/xss.mp3

1) upload MP3 file to the Media Library (as Editor or Administrator).
2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio
Playlist).
------------------------------------------------------------------------
References
------------------------------------------------------------------------

[1]https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html

[2] https://wordpress.org/

[3]https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

Current thread:

WordPress audio playlist functionality is affected by Cross-Site Scripting Summer of Pwnage (Mar 06)