search

inboundnow / retired-landing-pages

Create landing pages for your WordPress site. Monitor and improve conversion rates, run A/B split tests, customize your own templates and more.
http://www.inboundnow.com/landing-pages/
GNU General Public License v2.0
4 stars 2 forks source link

XSS vulnerabiliy: #202

Closed atwellpub closed 9 years ago

atwellpub commented 9 years ago

We found an XSS vulnerability in your Landing Page plugin, see the details below:

Problem: Unfiltered user input: $_REQUEST['new_meta_key']

Exploit /wp-admin/post.php?post=9&action=edit&frontend=false&new_meta_key=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E File landing-pages/modules/module.metaboxes-ab-testing.php

Line(s) 34

Code var new_meta_key = "";

Recommended fix var new_meta_key = "";

You should filter all user defined value with esc_arg/esc_url or htmlentities.

We would really appreciate it if you could support our work by recommending or help promoting our Wordpress security items.

You find some banners here: http://swte.ch/images/swiftsecurity/logos/

Our portfolio on CodeCanyon: http://codecanyon.net/user/swte/portfolio

If we can help you please don't hesitate to contact us!

Have a great day!

Regards James

atwellpub commented 9 years ago

This code has been refactored into this class. The code in question seems to be related to the quick stats display box in the Landing Pages listsing page in wp-admin. Not sure how somone without admin access could perform an attack.

Going to get the security guy in on the ticket: https://github.com/inboundnow/landing-pages/blob/master/classes/class.metaboxes.php#L461

swifttechnologies commented 9 years ago

Hi,

The attacker doesn't need admin to exploit it. Thats the point. You are the admin, and he suggest you to visit this link: http://your-site.com/wp-admin/post.php?post=9&action=edit&frontend=false&new_meta_key=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

The attacker can steal your cookies, or create an admin user in the background or whatever he want. The sample javascript alert just demonstrate the attacker can run a javascript.

DavidWells commented 9 years ago

@atwellpub we just need to wrap: https://github.com/inboundnow/landing-pages/blob/master/classes/class.metaboxes.php#L461 in something that validates it can only be an integer/number that will solve the hole

atwellpub commented 9 years ago

Ok added an is_numeric() test. Is that sufficient?

swifttechnologies commented 9 years ago

Yes it is