Word Press Product Bugs Report
Bug Name: XSS & CSRF in Crony Cronjob Manager Version 0.4.4
Software: Crony Cronjob Manager Version 0.4.4 (Wordpress - Plugin)
Version: 0.4.4
Last Updated: 17-03-2015
Homepage: https://wordpress.org/plugins/crony/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6 or higher)
Severity High
Figure 2: name variable input field which is vulnerable to XSS
Figure 3: Capturing the HTTP request in intercept proxy
Figure 4: Created a crafted HTML page with XSS input and CSRF Request
Note: After creating the CSRFT HTML page the user logout and then again login in and then the HTML page is executed. In this case we have executed it from local machine.
Figure 5: XSS Payload gets executed in the browser once the link sent by the attacker has been clicked.
Figure 6: XSS payload gets executed and a new cronjob is created.
Reproducing Steps
1) Logon into any wordpress application (attacker)
2) Click to “Add new cronjob” in Crony Cronjob Manager Version 0.4.4 Plugin and capture the request in intercepting proxy.
3) Now, Generate a CSRF Request with attacker logged in account.
4) Modify the request with the code you required to get executed in victim’s browser.
5) Enter the value for the name variable with “XSS&CSRF” and add any scripts, malicious code or payload.
6) Here, its <script>alert(‘Vulnerable2CSRF&XSS’)</script> which an attacker wants to get executed in victim’s browser and sends the link to victim.
7) Now, once the victim opens the link in the user logged in browser. Then, immediately the added XSS payload will be executed whenever we review it.
Timeline
2015-08-28 – Discovered in Crony Cronjob Manager Version 0.4.4.
2015-08-28 – Reported to plugins@wordpress.org & lol@scottkclark.com
2015-08-28 – lol@scottkclark.com replied, "I'll check it out, thanks for the heads up."
2015-09-08 – Another response from developer, "I'll be back into things tomorrow morning, will let you know once it's up."
2015-09-27 – Issues fixed in version 0.4.6, developer responded.
Details
Word Press Product Bugs Report Bug Name: XSS & CSRF in Crony Cronjob Manager Version 0.4.4 Software: Crony Cronjob Manager Version 0.4.4 (Wordpress - Plugin) Version: 0.4.4 Last Updated: 17-03-2015 Homepage: https://wordpress.org/plugins/crony/ Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6 or higher) Severity High
Proof of concept: (POC)
Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=crony&action=manage&do=create and modify the value of name variable with
<script>alert(‘Vulnerable2CSRF&XSS’)</script>payload and send the request to the server after generating CSRF request to the victimNow, the added XSS payload will be executed on the victim machine and victim machine can be compromised.
Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.
Issue 1:
The POST Request of the variable name in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=crony&action=manage&do=create is vulnerable to XSS and the plugin is also exploitable using CSRF vulnerability. Whereas, explained in details with screenshots below.
Figure 1: Cronjobs list before CSRF code & XSS Payload gets executed.
Note: After creating the CSRFT HTML page the user logout and then again login in and then the HTML page is executed. In this case we have executed it from local machine.
Reproducing Steps
1) Logon into any wordpress application (attacker) 2) Click to “Add new cronjob” in Crony Cronjob Manager Version 0.4.4 Plugin and capture the request in intercepting proxy. 3) Now, Generate a CSRF Request with attacker logged in account. 4) Modify the request with the code you required to get executed in victim’s browser. 5) Enter the value for the name variable with “XSS&CSRF” and add any scripts, malicious code or payload. 6) Here, its
<script>alert(‘Vulnerable2CSRF&XSS’)</script>which an attacker wants to get executed in victim’s browser and sends the link to victim. 7) Now, once the victim opens the link in the user logged in browser. Then, immediately the added XSS payload will be executed whenever we review it.Timeline
2015-08-28 – Discovered in Crony Cronjob Manager Version 0.4.4. 2015-08-28 – Reported to plugins@wordpress.org & lol@scottkclark.com 2015-08-28 – lol@scottkclark.com replied, "I'll check it out, thanks for the heads up." 2015-09-08 – Another response from developer, "I'll be back into things tomorrow morning, will let you know once it's up." 2015-09-27 – Issues fixed in version 0.4.6, developer responded.
Discovered by: Sathish from Cyber Security Works Pvt Ltd