Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS Vulnerability in BulletProof Security Version .52.4 #3

Open
cybersecurityworks opened this issue Sep 14, 2015 · 0 comments
Open

Comments

@cybersecurityworks
Copy link
Owner

Details

Word Press Product Bugs Report
Bug Name XSS (Cross Site Scripting)
Software: BulletProof Security
Version: .52.4
Last Updated: 18-08-2015
Homepage: https://wordpress.org/plugins/powerpress/developers/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.7 or higher)
Severity High
Description: XSS vulnerability in WordPress plugin BulletProof Security

Proof of concept: (POC)

Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=bulletproof-security/admin/db-backup-security/db-backup-security.php and modify the value of DBTablePrefix variable with "></script><script>alert(document.cookie);</script> payload and send the request to the server.

Now, the added XSS payload will be echoed back from the server without validating the input. It also affects wp-config.php file, $table_prefix and corrupts the database connectivity.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

define( 'DISALLOW_UNFILTERED_HTML', true );

Users: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the Randomly Generated DB Table Prefix Form text box. Please do NOT actually try this test if you are using a version of BPS versions. Entering an invalid DB Table Prefix name will crash your website.

Issue 1:
The Post Request DBTablePrefix variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=bulletproof-security/admin/db-backup-security/db-backup-security.php is vulnerable to Cross Site Scripting (XSS)

bps_xss_02

Figure 1: Invalid HTTP script Request sent to the server through the vulnerable DBTablePrefix variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=bulletproof-security/admin/db-backup-security/db-backup-security.php

bps_xss_03

Figure 2: Echoed back HTTP Response without validation.

bps_xss_04

Figure 3: Response Executed in the browser with Cookie value

bps_xss_01

Figure 4: $table_prefix is also damaged with the given XSS Payload

bps_xss_05

Figure 5: Error message after the payload gets executed in the browser


Reproducing Steps

  1. Logon into any wordpress application (localhost or public host)
  2. Modifying the value of DBTablePrefix variable in BulletProof Security .52.4
  3. Fill all the variables with "><script>alert(document.cookie);</script> payload and send the request to the server.
  4. Now, the added XSS payload will be echoed back from the server without validating the input even after wp-config.php file has been configured with XSS filter settings.
  5. It also affects wp-config.php file $table_prefix and corrupts the database connectivity

Timeline
2015-09-04 – Discovered in BulletProof Security Plugin
2015-09-09 – Fixed in BulletProof Security Plugin Version .52.5


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant