[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CVE-2018-6194, CVE-2018-6195] PHP Object Injection + XSS in WordPress Splashing
From: <nicolas.buzy-debat () orange ! com>
Date: 2018-01-26 2:31:26
Message-ID: 19372_1516933887_5A6A92FF_19372_62_1_6AB2D331DE4A31449464D20926760F7902D76120 () OPEXCLILM24 ! corporate ! adroot ! infra ! ftgroup
[Download RAW message or body]
Product: WordPress Splashing Images Plugin - https://wordpress.org/plugins/wp-splashing-images/
Vendor: Studio Espresso
Tested version: 2.1
** CVE ID: CVE-2018-6194 **
> > CVE description ::
A cross-site scripting (XSS) vulnerability in admin/partials/wp-splashing-admin-sidebar.php in \
the wp-splashing-images plugin before 2.1.1 for WordPress allows remote attackers to inject \
arbitrary web script or HTML via the search parameter to wp-admin/upload.php.
> > Technical details ::
In wp-splashing-images/admin/partials/wp-splashing-admin-sidebar.php:9, the search HTTP GET \
parameter is directly echoed into the value attribute of an HTML form field without proper \
sanitization. An attacker can close the HTML input tag with the "> expression and inject \
arbitrary HTML/JavaScript code.
Vulnerable code:
<input type="search" id="post-search-input-splashing" name="search" value="<?php echo \
$_GET['search']; ?>" placeholder="<?php _e('Search unsplash.com', 'wp-splashing-images'); ?>">
https://plugins.trac.wordpress.org/browser/wp-splashing-images/trunk/admin/partials/wp-splashing-admin-sidebar.php?rev=1675965#L9
> > Proof of Concept ::
http://<host>/wp-admin/upload.php?page=wp-splashing&search="><script>alert(document.cookie);</script>
** CVE ID: CVE-2018-6195 **
> > CVE description ::
admin/partials/wp-splashing-admin-main.php in the wp-splashing-images plugin before 2.1.1 for \
WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct \
PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to \
wp-admin/upload.php.
> > Technical details ::
In wp-splashing-images/admin/partials/wp-splashing-admin-main.php:23, the contents of the \
session HTTP GET parameter is base64-decoded and then unserialized.
Vulnerable code:
<?php if($_GET['session']) {
$data = unserialize(base64_decode($_GET['session']));
https://plugins.trac.wordpress.org/browser/wp-splashing-images/trunk/admin/partials/wp-splashing-admin-main.php?rev=1675965#L23
By carefully crafting a URL, a remote and authenticated (administrator, editor or author) \
attacker can inject a base64-encoded serialized PHP object into the current WordPress instance. \
Depending on the available classes within the current context and on what actions are performed \
within their relevant magic methods (such as __wakeup() or __destruct() ), impacts can go from \
arbitrary file deletion to arbitrary code execution.
> > Proof of Concept ::
Using pluginvulnerabilities.com's plugin [1], we can easily check that this vulnerability is \
exploitable: http://<host>/wp-admin/upload.php?page=wp-splashing&session=TzoyMDoiUEhQX09iamVjdF9JbmplY3Rpb24iOjA6e30%3D
[1] https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/
** Solution **
Update to version 2.1.1
** Timeline **
10/01/2018: vendor contacted; vendor gives the e-mail address to send the report to
12/01/2018: report sent to vendor
22/01/2018: requested an update regarding the release date of the fix; vendor releases the fix \
on that day
26/01/2018: report published
** Credits **
Vulnerabilities discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore \
(CERT-LEXSI).
--
Best Regards,
Nicolas Buzy-Debat
Orange Cyberdefense Singapore (CERT-LEXSI)
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou \
privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si \
vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi \
que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange \
decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be \
protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and \
its attachments. As emails may be altered, Orange is not liable for messages that have been \
modified, changed or falsified. Thank you.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic