[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Reflected XSS in Citizen Space allows attackers to view sensitive information of the attacker’s choosing (WordPress plugin)
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Reflected XSS in Citizen Space allows attackers to view sensitive information of the attacker’s choosing (WordPress plugin)
- From: dxw Security <security@xxxxxxx>
- Date: Thu, 16 Apr 2015 17:48:12 +0000
Details
================
Software: Citizen Space
Version: 1.1
Homepage: http://wordpress.org/plugins/citizen-space/
Advisory report:
https://security.dxw.com/advisories/reflected-xss-in-citizen-space-allows-attackers-to-view-sensitive-information-of-the-attackers-choosing/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)
Description
================
Reflected XSS in Citizen Space allows attackers to view sensitive information
of the attacker’s choosing
Vulnerability
================
It is possible to request pages that will run the attackers choice of WordPress
short code and display any content of the attackers choosing. This allows the
attacker to view extremely sensitive data, to create content, to access forms
that have been disabled and to greatly aid the exploitation of other plugins.
This can also be exploited to perform simple cross site scripting attacks (XSS)
by injecting html onto pages, if a user can be tricked into following a link
constructed by the attacker. This could be used e.g. to damage the reputation
of the site or another entity, or to trick the user into installing malicious
software
Citizen Space looks at all urls requested on the site to see if they contain
“cs_consultation” anywhere in the url including in the parameters. It then
looks for the parameter path in the url, if it is found it appends into
post_content with out sanitising it
$post->post_content= \'[citizenspace_consultation
url=\"\'.$_GET[\'path\'].\'\"]\';
This means that the citizenspace_consultation shortcode can be broken out off
by adding square brackets (]). This works because the spec for shortcodes in
WordPress is strict and says there can not be any closing square brackets
inside a shortcode. Any content that is placed in the path parameter after the
square bracket will be searched for short codes and if they are found they are
executed. HTML will also be rendered and javascript will be executed.
Proof of concept
================
Assuming a site running on localhost, making this request will inject
[shortcodehere] into the page.
http://localhost/?cs_consultation&path=\"][shortcodehere][[[
Mitigations
================
Disable and remove the plugin. The plugin authors (Delib) have deprecated the
plugin and removed it from the plugin directory. They no longer recommend it as
a way of integrating Citizen Space with WordPress:
https://delib.zendesk.com/hc/en-us/articles/203432169-Citizen-Space-Wordpress-plug-in
https://delib.zendesk.com/hc/en-us/articles/203432149-How-do-I-integrate-Citizen-Space-into-my-existing-website-
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@xxxxxxx to acknowledge this report if you
received it via a third party (for example, plugins@xxxxxxxxxxxxx) as they
generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this
report with 14 days.
Timeline
================
2015-01-30: Discovered
2015-03-04: CVE requested
2015-03-05: Reported to vendor by email
2015-03-12: Confirmed plan for deprecation
2015-03-31: Plugin confirmed deprecated and removed from WP.org.
2015-04-16: Published
Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/