[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2015-4413 - Wordpress “Nextend Facebook Connect” Cross Site Scripting

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] CVE-2015-4413 - Wordpress “Nextend Facebook Connect” Cross Site Scripting
From: Liran Segal <lirans@xxxxxxxxxx>
Date: Mon, 22 Jun 2015 08:52:42 +0000

Document Title:
===============
WordPress “Nextend Facebook Connect” Plugin Version: 1.5.4 is vulnerable to 
Reflected XSS (Cross Site Scripting)


Download URL:

=============

https://wordpress.org/plugins/nextend-facebook-connect/



Release Date:

=============
2015-06-20


Vulnerability CVE ID:

=====================
CVE-2015-4413


Vulnerability Disclosure Timeline:

==================================
2015 – 06 – 03 First notified to WordPress.
2015 – 06 – 07 First notified to plugin vendor .
2015 – 06 – 10 First notified to Mitre for CVE number.
2015 – 06 – 11 Vendor publish update for the plugin.
2015 – 06 – 22 Public Disclosure.


Discovery Status:

=================

Published


Severity Level:

===============

High


Technical Details, Description & Proof of Concept (PoC):

========================================================

After installing Wordpress I add the plugin " Nextend Facebook Connect" witch 
allow you to login Wordpress with Facebook account.

During my test I find out that the “redirect_to” parameter is vulnerable to 
Reflected XSS attack.


To reach to root of the problem, I took a look in the plugin source code and 
realized that the “new_fb_sign_button()” witch located in the file 
“nextend-facebook-connect.php”.

The problematic function are locate in line 432:
http://www.siz.co.il/my.php?i=djvy5z2yhczl.png


As you can see in the line 432, the function don’t escapes HTML tags or other 
dangerous symbols.

When attacker injects the Javascript code in the URL the function runs the 
code, as you can see:
http://www.siz.co.il/my.php?i=zeu3dnmw5ktz.png

And pop the alert window.


Solution - Fix & Patch:

=======================

In order to solve this security flaw you need to add the “htmlentities” 
function. (http://php.net/htmlentities)

As you can see in the image:
http://www.siz.co.il/my.php?i=3jwizyzfgtmu.png

Liran Segal (Bugsec Information Security LTD)

Regards,
Liran Segal
Penetration Testing
BugSec Cyber & Information Security

____________________________________________________________________________________________________________________________________________________________________________________________


Office: 03-9622655 Fax: 03-9511433 Mobile: 054-8308351

Mail: lirans@xxxxxxxxxx<mailto:lirans@xxxxxxxxxx> Site: 
www.bugsec.com<http://www.bugsec.com/>

[תיאור: תיאור: תיאור: bugsec_car_logo]<http://www.bugsec.com/>
Would you know if you’re under attack?
[תיאור: cid:image002.jpg@01CF3E27.3B0DCAC0]<http://www.cyber-spear.com/>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] ERPSCAN Research Advisory [ERPSCAN-15-011] SAP Mobile Platform 3.0 - XXE
Next by Date: [FD] CVE-2015-4557 - Wordpress “Nextend Twitter Connect” & “Nextend Google Connect” Cross Site Scripting
Previous by thread: [FD] ERPSCAN Research Advisory [ERPSCAN-15-011] SAP Mobile Platform 3.0 - XXE
Next by thread: [FD] CVE-2015-4557 - Wordpress “Nextend Twitter Connect” & “Nextend Google Connect” Cross Site Scripting
Index(es):
- Date
- Thread