WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting

2015.06.25
Credit: Liran Segal
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2015-4557
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Wordpress “Nextend Twitter Connect” =================================== Document Title: =============== WordPress “Nextend Twitter Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting) Download URL: ============= https://wordpress.org/plugins/nextend-twitter-connect/ Release Date: ============= 2015-06-20 Vulnerability CVE ID: ===================== CVE-2015-4557 Vulnerability Disclosure Timeline: ================================== 2015 – 06 – 15 First notified to WordPress. 2015 – 06 – 15 First notified to plugin vendor . 2015 – 06 – 15 First notified to Mitre for CVE number. 2015 – 06 – 16 Vendor publish update for the plugin. 2015 – 06 – 22 Public Disclosure. Discovery Status: ================= Published Severity Level: =============== High Technical Details, Description & Proof of Concept (PoC): ======================================================== After installing Wordpress I add the plugin "Nextend Twitter Connect" witch allow you to login Wordpress with Twitter account. During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack. http://www.siz.co.il/my.php?i=hvmwzqo0tmjw.png To reach to root of the problem, I took a look in the plugin source code and realized that the “new_Twitter_sign_button” witch located in the file “nextend-Twitter-connect.php”. The problematic function are locate in line 492: http://www.siz.co.il/my.php?i=bndijzkozjdy.png As you can see in the line 492, the function don’t escapes HTML tags or other dangerous symbols. When attacker injects the Javascript code in the URL the function runs the code, as you can see: http://www.siz.co.il/my.php?i=ni4jzmzjmrni.png And pop the alert window. Solution - Fix & Patch: ======================= In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities) As you can see in the image: http://www.siz.co.il/my.php?i=yjz4jmie4m1g.png Wordpress “Nextend Google Connect” =================================== Document Title: =============== WordPress “Nextend Google Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting) Download URL: ============= https://wordpress.org/plugins/nextend-google-connect/ Release Date: ============= 2015-06-20 Vulnerability CVE ID: ===================== CVE-2015-4557 Vulnerability Disclosure Timeline: ================================== 2015 – 06 – 15 First notified to WordPress. 2015 – 06 – 15 First notified to plugin vendor . 2015 – 06 – 15 First notified to Mitre for CVE number. 2015 – 06 – 16 Vendor publish update for the plugin. 2015 – 06 – 22 Public Disclosure. Discovery Status: ================= Published Severity Level: =============== High Technical Details, Description & Proof of Concept (PoC): ======================================================== After installing Wordpress I add the plugin "Nextend Google Connect" witch allow you to login Wordpress with Google account. During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack. http://www.siz.co.il/my.php?i=yzjzqwyn4qo3.png To reach to root of the problem, I took a look in the plugin source code and realized that the “new_google_sign_button” witch located in the file “nextend-Google-connect.php”. The problematic function are locate in line 433: http://www.siz.co.il/my.php?i=z4dnntazxkmz.png As you can see in the line 433, the function don’t escapes HTML tags or other dangerous symbols. When attacker injects the Javascript code in the URL the function runs the code, as you can see: http://www.siz.co.il/my.php?i=0omtugeig1z0.png And pop the alert window. Solution - Fix & Patch: ======================= In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities) As you can see in the image: http://sizmedia.com/my.php?i=zmnjdljwthmm.png Liran Segal (Bugsec Information Security LTD) Regards, Liran Segal Penetration Testing BugSec Cyber & Information Security ____________________________________________________________________________________________________________________________________________________________________________________________ Office: 03-9622655 Fax: 03-9511433 Mobile: 054-8308351 Mail: lirans@bugsec.com<mailto:lirans@bugsec.com> Site: www.bugsec.com<http://www.bugsec.com/>

References:

https://wordpress.org/plugins/nextend-twitter-connect/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top