A cross site scripting (XSS) attack can cause arbitrary code (java script) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executing when the user loads an create lead form page created in Zoho CRM Lead Magnet Version 1.6.9.1
Proof of concept: (POC)
Issue 1:
By exploiting a Cross-site scripting vulnerability an attacker easily gain access to user’s session by stealing cookies and also exploit the user browser.
Figure 02: client key and secret id are filled in Authenticating Zoho CRM Plugin
Click on Create New Form button and fill the values and click on Next button
Figure 03: new form in Zoho CRM Plugin
Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.
Figure 04: Request with XSS payload sent to the server
Figure 05: Request and response captured in the proxy
Injected XSS payload is successfully executed when the user visits or reloads the page
Figure 06: The JavaScript is successfully executed in the victim browser context
Figure 07: The WordPress application running on version 5.2.3
Figure 08: The WordPress Zoho CRM Lead Magnet plugin Version: 1.6.9.1
Figure 09: The default cross-site scripting mitigation setting in wp.config file to prevent cross site scripting attacks.
Reproducing Steps
Logon into WordPress application in localhost
Access the vulnerable GET Request URL with XSS payload inserted into the vulnerable variable.
XSS will get executed in the user machine once the user clicks on the given vulnerable link.
Timeline
2019-10-13 – Discovered in WordPress( Zoho CRM Lead Magnet Plugin ) Product
2019-10-14 – Reported to plugins@wordpress.org
2019-10-15 – Received instant response from WordPress plugin team.
2019-10-15 – Issue acknowledged and fixed immediately.
2019-10-16 – Came up with a write up here.
Details
ZOHO CRM Lead Magnet version 1.6.9.1
Bug Name: Reflected Cross Site Scripting (XSS) in WordPress Plugin
Product: ZOHO CRM Lead Magnet version 1.6.9.1
Version: 1.6.9.1
Last Updated: 14-10-2019
Homepage: http://localhost/wordpress/
Severity: High
Status: Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: http://localhost/wordpress/wp-admin/admin.php?page=create-leadform-builder&__module=ManageShortcodes&__action=zcfCrmManageFieldsLists&onAction=onCreate&crmtype=crmformswpbuilder&module=Leads&EditShortcode=58H3N&LayoutName=Standard&formName=Unititled
Vulnerable Variable: Module & EditShortcode & LayoutName
Description:
A cross site scripting (XSS) attack can cause arbitrary code (java script) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executing when the user loads an create lead form page created in Zoho CRM Lead Magnet Version 1.6.9.1
Proof of concept: (POC)
Issue 1:
By exploiting a Cross-site scripting vulnerability an attacker easily gain access to user’s session by stealing cookies and also exploit the user browser.
Login to the application
Install Zoho CRM Lead Magnet Plugin
Figure 01: Zoho CRM Lead Magnet
Figure 02: client key and secret id are filled in Authenticating Zoho CRM Plugin
Figure 03: new form in Zoho CRM Plugin
<img src=x onerror=alert(document.cookie)>to the vulnerable parameters by intercepting the request in a proxy tool.Figure 04: Request with XSS payload sent to the server
Figure 05: Request and response captured in the proxy
Figure 06: The JavaScript is successfully executed in the victim browser context
Figure 07: The WordPress application running on version 5.2.3
Figure 08: The WordPress Zoho CRM Lead Magnet plugin Version: 1.6.9.1
Figure 09: The default cross-site scripting mitigation setting in wp.config file to prevent cross site scripting attacks.
Reproducing Steps
Timeline
2019-10-13 – Discovered in
WordPress( Zoho CRM Lead Magnet Plugin )Product2019-10-14 – Reported to plugins@wordpress.org
2019-10-15 – Received instant response from WordPress plugin team.
2019-10-15 – Issue acknowledged and fixed immediately.
2019-10-16 – Came up with a write up here.
Discovered by:
Saran Baskar from Cyber Security Works Research Lab
The text was updated successfully, but these errors were encountered: