Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZOHO CRM Lead Magnet version 1.6.9.1 #16

Open
cybersecurityworks opened this issue Oct 16, 2019 · 0 comments
Open

ZOHO CRM Lead Magnet version 1.6.9.1 #16

cybersecurityworks opened this issue Oct 16, 2019 · 0 comments

Comments

@cybersecurityworks
Copy link
Owner

cybersecurityworks commented Oct 16, 2019

Details

ZOHO CRM Lead Magnet version 1.6.9.1
Bug Name: Reflected Cross Site Scripting (XSS) in WordPress Plugin
Product: ZOHO CRM Lead Magnet version 1.6.9.1
Version: 1.6.9.1
Last Updated: 14-10-2019
Homepage: http://localhost/wordpress/
Severity: High
Status: Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: http://localhost/wordpress/wp-admin/admin.php?page=create-leadform-builder&__module=ManageShortcodes&__action=zcfCrmManageFieldsLists&onAction=onCreate&crmtype=crmformswpbuilder&module=Leads&EditShortcode=58H3N&LayoutName=Standard&formName=Unititled
Vulnerable Variable: Module & EditShortcode & LayoutName

Description:

A cross site scripting (XSS) attack can cause arbitrary code (java script) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executing when the user loads an create lead form page created in Zoho CRM Lead Magnet Version 1.6.9.1

Proof of concept: (POC)

Issue 1:

By exploiting a Cross-site scripting vulnerability an attacker easily gain access to user’s session by stealing cookies and also exploit the user browser.

  1. Login to the application

  2. Install Zoho CRM Lead Magnet Plugin

Figure01_Zoho CRM Lead Magnet

Figure 01: Zoho CRM Lead Magnet

  1. Configure the client id and secret key
    Figure 02_client key and secret id are filled in Authenticating Zoho CRM Plugin

Figure 02: client key and secret id are filled in Authenticating Zoho CRM Plugin

  1. Click on Create New Form button and fill the values and click on Next button

Figure03_Creating forms in Zoho CRM Plugin

Figure 03: new form in Zoho CRM Plugin

  1. Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.

Figure04_Request to the server

Figure 04: Request with XSS payload sent to the server

Figure05_The request and response from the server
Figure 05: Request and response captured in the proxy

  1. Injected XSS payload is successfully executed when the user visits or reloads the page
    Figure06_The JavaScript is successfully executed in the victim browser context

Figure 06: The JavaScript is successfully executed in the victim browser context

Figure07_The WordPress application running on version 5 2 3

Figure 07: The WordPress application running on version 5.2.3

Figure08_The Wordpress Zoho CRM Lead Magnet plugin Version 1_6_9_1

Figure 08: The WordPress Zoho CRM Lead Magnet plugin Version: 1.6.9.1

Figure09_The default cross_site scripting mitigation setting in wp_config file

Figure 09: The default cross-site scripting mitigation setting in wp.config file to prevent cross site scripting attacks.


Reproducing Steps

  1. Logon into WordPress application in localhost
  2. Access the vulnerable GET Request URL with XSS payload inserted into the vulnerable variable.
  3. XSS will get executed in the user machine once the user clicks on the given vulnerable link.

Timeline

2019-10-13 – Discovered in WordPress( Zoho CRM Lead Magnet Plugin ) Product
2019-10-14 – Reported to plugins@wordpress.org
2019-10-15 – Received instant response from WordPress plugin team.
2019-10-15 – Issue acknowledged and fixed immediately.
2019-10-16 – Came up with a write up here.


Discovered by:
Saran Baskar from Cyber Security Works Research Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant