Word Press Product Bugs Report
Bug Name XSS (Cross Site Scripting)
Software: BulletProof Security
Version: .52.4
Last Updated: 18-08-2015
Homepage: https://wordpress.org/plugins/powerpress/developers/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.7 or higher)
Severity High
Description: XSS vulnerability in WordPress plugin BulletProof Security
Now, the added XSS payload will be echoed back from the server without validating the input. It also affects wp-config.php file, $table_prefix and corrupts the database connectivity.
Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.
define( 'DISALLOW_UNFILTERED_HTML', true );
Users: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the Randomly Generated DB Table Prefix Form text box. Please do NOT actually try this test if you are using a version of BPS versions. Entering an invalid DB Table Prefix name will crash your website.
Figure 2: Echoed back HTTP Response without validation.
Figure 3: Response Executed in the browser with Cookie value
Figure 4: $table_prefix is also damaged with the given XSS Payload
Figure 5: Error message after the payload gets executed in the browser
Reproducing Steps
Logon into any wordpress application (localhost or public host)
Modifying the value of DBTablePrefix variable in BulletProof Security .52.4
Fill all the variables with "><script>alert(document.cookie);</script> payload and send the request to the server.
Now, the added XSS payload will be echoed back from the server without validating the input even after wp-config.php file has been configured with XSS filter settings.
It also affects wp-config.php file $table_prefix and corrupts the database connectivity
Timeline
2015-09-04 – Discovered in BulletProof Security Plugin
2015-09-09 – Fixed in BulletProof Security Plugin Version .52.5
Details
Word Press Product Bugs Report
Bug Name XSS (Cross Site Scripting)
Software: BulletProof Security
Version: .52.4
Last Updated: 18-08-2015
Homepage: https://wordpress.org/plugins/powerpress/developers/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.7 or higher)
Severity High
Description: XSS vulnerability in WordPress plugin BulletProof Security
Proof of concept: (POC)
Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=bulletproof-security/admin/db-backup-security/db-backup-security.php and modify the value of DBTablePrefix variable with
"></script><script>alert(document.cookie);</script>payload and send the request to the server.Now, the added XSS payload will be echoed back from the server without validating the input. It also affects wp-config.php file, $table_prefix and corrupts the database connectivity.
Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.
define( 'DISALLOW_UNFILTERED_HTML', true );
Users: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the Randomly Generated DB Table Prefix Form text box. Please do NOT actually try this test if you are using a version of BPS versions. Entering an invalid DB Table Prefix name will crash your website.
Issue 1:
The Post Request DBTablePrefix variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=bulletproof-security/admin/db-backup-security/db-backup-security.php is vulnerable to Cross Site Scripting (XSS)
Figure 1: Invalid HTTP script Request sent to the server through the vulnerable DBTablePrefix variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=bulletproof-security/admin/db-backup-security/db-backup-security.php
Figure 2: Echoed back HTTP Response without validation.
Figure 3: Response Executed in the browser with Cookie value
Figure 4: $table_prefix is also damaged with the given XSS Payload
Figure 5: Error message after the payload gets executed in the browser
Reproducing Steps
"><script>alert(document.cookie);</script>payload and send the request to the server.Timeline
2015-09-04 – Discovered in BulletProof Security Plugin
2015-09-09 – Fixed in BulletProof Security Plugin Version .52.5
Discovered by:
Sathish from Cyber Security Works Pvt Ltd
The text was updated successfully, but these errors were encountered: