hiredhacker.com

The WP Contact Form III 1.4.1 WordPress plugin by ‘KristinKWangen’ is vulnerable to multiple cross site scripting attacks.

Note to developers, this does not stop script injection attacks:

From wp-contactform.php line 105:
$_POST['wpcf_your_name'] = stripslashes(trim($_POST['wpcf_your_name']));

Also note that this is not a very good way to die:

From buttonsnap.php line 28:
$selection = isset($_POST['selection']) ? $_POST['selection'] : @$_GET['selection'];
$selection = apply_filters($dispatch, $selection);
die($selection);


Mozilla marked Bug ID 413250 as ‘RESOLVED FIXED’ on Tuesday. I got a chance to check out the fix today, and found that the fix is inadequate in stopping the attack. Here’s another demo that reads your session store, and like before, uses the Download Statusbar extension.

steal_sessionstore2.html.

I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.

To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).

This looks very interesting and may have bigger potential, but for now, its just another information disclosure.

UPDATE:
There seems to be some confusion about what exactly the severity of this vulnerability is. First, this is not a chrome privilege escalation but it worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session (windows, tabs, cookies, etc).

The demo’s use Download Statusbar but any ‘flat’ extension (not contained in a JAR file) will work (including greasemonkey). If you want to track this bug, the mozilla bug id is 413250 .

If you are using Firefox you need to have NoScript, it has stopped this type of attack since August 2007!

UPDATE 2:
Mozilla has marked this as a high severity bug and released a partial list of affected plugins here: https://bugzilla.mozilla.org/attachment.cgi?id=300181

I grabbed this off of some hacked servers in China, nothing special but some people where asking for it. Drop me a line and I will email the actual html/js files if your interested. Sorry for the bad formatting, but you get the point.

(more…)

WassUp is a new Wordpress plugin to track your visitors in real time. It has a very readable and fancy admin console to keep tracks of your blog’s users visits. It has a “current visitors online” view and a more detailed “visitors details” view where you can know almost everything your users are doing on your blog, it’s very useful for SEO or statistics maniacs. Now it comes with a new “Spy” view in Ajax like the Digg Spy.

The WassUp plugin contains multiple XSSing and SQL injection vulnerabilities. While version 1.4.1 fixed some of the issues, there is a good number still unpatched. I won’t go into details because with code like the snippet below (from spy.php) it won’t take you long to find them.


//Retrieve command-line arguments...
if (isset($_GET['to_date'])) $to_date = $_GET['to_date'];
else $to_date = wassup_get_time();
if (isset($_GET['from_date'])) $from_date = $_GET['from_date'];
else $from_date = ($to_date - 3);
if (isset($_GET['rows'])) $rows = $_GET['rows'];
else $rows = 999;
spyview($from_date,$to_date,$rows);


spyview() calls $wpdb->get_results() with out performing any filtering:

$qryC = $wpdb->get_results("SELECT id, wassup_id, max(timestamp) as max_timestamp, ip, hostname, searchengine, urlrequested, agent, referrer, spider, username, comment_author FROM $table_name WHERE timestamp BETWEEN $from_date AND $to_date GROUP BY id ORDER BY max_timestamp DESC");

Regardless if the server uses magic_quotes or if the plugin is even activated, you can exploit the SQL injection on spy.php.

If that wasn’t bad enough, there is a persistent XSS when displaying tracked visitor data as they don’t filter the URL. That means just browsing the site and appending some script tags to the end of the URL, when the admin checks his visits it will execute.

On a positive note, version 1.4.1 does have SOME filtering being done mainly header data, and a few parameters but its still very bad and needs more work, but hey it’s pretty!