Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting (XSS) & Cross Site Request Forgery (CSRF) in Crony Cronjob Manager Version 0.4.4 #9

Open
cybersecurityworks opened this issue Oct 27, 2015 · 0 comments

Comments

@cybersecurityworks
Copy link
Owner

Details

Word Press Product Bugs Report
Bug Name: XSS & CSRF in Crony Cronjob Manager Version 0.4.4
Software: Crony Cronjob Manager Version 0.4.4 (Wordpress - Plugin)
Version: 0.4.4
Last Updated: 17-03-2015
Homepage: https://wordpress.org/plugins/crony/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6 or higher)
Severity High

Proof of concept: (POC)

Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=crony&action=manage&do=create and modify the value of name variable with <script>alert(‘Vulnerable2CSRF&XSS’)</script> payload and send the request to the server after generating CSRF request to the victim

Now, the added XSS payload will be executed on the victim machine and victim machine can be compromised.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

define( 'DISALLOW_UNFILTERED_HTML', true );

Issue 1:

The POST Request of the variable name in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=crony&action=manage&do=create is vulnerable to XSS and the plugin is also exploitable using CSRF vulnerability. Whereas, explained in details with screenshots below.
before csrf
Figure 1: Cronjobs list before CSRF code & XSS Payload gets executed.

vulnerable variable
Figure 2: name variable input field which is vulnerable to XSS

csrf-request
Figure 3: Capturing the HTTP request in intercept proxy

csrf-2
Figure 4: Created a crafted HTML page with XSS input and CSRF Request

Note: After creating the CSRFT HTML page the user logout and then again login in and then the HTML page is executed. In this case we have executed it from local machine.

csrf-3
Figure 5: XSS Payload gets executed in the browser once the link sent by the attacker has been clicked.
csrf-4
Figure 6: XSS payload gets executed and a new cronjob is created.


Reproducing Steps

  1. Logon into any wordpress application (attacker)
  2. Click to “Add new cronjob” in Crony Cronjob Manager Version 0.4.4 Plugin and capture the request in intercepting proxy.
  3. Now, Generate a CSRF Request with attacker logged in account.
  4. Modify the request with the code you required to get executed in victim’s browser.
  5. Enter the value for the name variable with “XSS&CSRF” and add any scripts, malicious code or payload.
  6. Here, its <script>alert(‘Vulnerable2CSRF&XSS’)</script> which an attacker wants to get executed in victim’s browser and sends the link to victim.
  7. Now, once the victim opens the link in the user logged in browser. Then, immediately the added XSS payload will be executed whenever we review it.

Timeline

2015-08-28 – Discovered in Crony Cronjob Manager Version 0.4.4.
2015-08-28 – Reported to [email protected] & [email protected]
2015-08-28 – [email protected] replied, "I'll check it out, thanks for the heads up."
2015-09-08 – Another response from developer, "I'll be back into things tomorrow morning, will let you know once it's up."
2015-09-27 – Issues fixed in version 0.4.6, developer responded.


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant