search

NixOS / security

MIT License
30 stars 12 forks source link

Roundup: [oss-security] Persistent XSS in wordpress plugin rockhoist-badges v1.2.2 #113

Closed grahamc closed 7 years ago

grahamc commented 7 years ago

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003eff

Should the search term be changed from wordpress? Suggest a new package search by commenting:

-suggested:wordpress +suggested:correctPackageName thread:0000000000003eff

Known CVEs: CVE-2017-6102

Skip to End

Wed, 01 Mar 2017 04:38:07 -0500 "Larry W. Cashdollar" , 4B868989-042B-4372-B240-CA7A707CA929@me.com
Title: Persistent XSS in wordpress plugin rockhoist-badges v1.2.2
Author: Larry W. Cashdollar, @_larry0
Date: 2017-02-20
Download Site: https://wordpress.org/plugins/rockhoist-badges/
Vendor: https://profiles.wordpress.org/esserq/
Vendor Notified: 2017-02-20
Vendor Contact:
Description: A Stack Overflow inspired plugin for WordPress which allows users to acquire badges for contributing website content. Badges are created and managed through the WordPress Dashboard.
Vulnerability:
There is a persistent cross site scripting vulnerability in the plugin Rockhoist Badges.  A user with the 
ability to edit_posts can inject malicious javascript.  Into the badge description or title field.

Line 603 doesn't sanitize user input before sending it to the browser in file ./rockhoist-badges/rh-badges.php:

-> 603: <span class="delete"><a href="?page=badges&action=deletecondition&badge_ID=<?php echo $_GET['badge_ID']; ?>&badge_condition_ID=<?php echo $badge_condition->badge_condition_id; ?>" class="delete-tag">Delete</a></span>

CVE-ID: CVE-2017-6102
Exploit Code:
    • "><script>alert(1);</script> in the title or description field will inject js.
Screen Shots: [http://www.vapidlabs.com/m/badges.jpg]
Advisory: http://www.vapidlabs.com/advisory.php?v=176

Skip to End

Mic92 commented 7 years ago

unstable: we don't have it packaged 17.03: we don't have it packaged 16.09: we don't have it packaged

grahamc commented 7 years ago

Thank you!