Closed atwellpub closed 9 years ago
This code has been refactored into this class. The code in question seems to be related to the quick stats display box in the Landing Pages listsing page in wp-admin. Not sure how somone without admin access could perform an attack.
Going to get the security guy in on the ticket: https://github.com/inboundnow/landing-pages/blob/master/classes/class.metaboxes.php#L461
Hi,
The attacker doesn't need admin to exploit it. Thats the point. You are the admin, and he suggest you to visit this link: http://your-site.com/wp-admin/post.php?post=9&action=edit&frontend=false&new_meta_key=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
The attacker can steal your cookies, or create an admin user in the background or whatever he want. The sample javascript alert just demonstrate the attacker can run a javascript.
@atwellpub we just need to wrap: https://github.com/inboundnow/landing-pages/blob/master/classes/class.metaboxes.php#L461 in something that validates it can only be an integer/number that will solve the hole
Ok added an is_numeric() test. Is that sufficient?
Yes it is
We found an XSS vulnerability in your Landing Page plugin, see the details below:
Problem: Unfiltered user input: $_REQUEST['new_meta_key']
Exploit /wp-admin/post.php?post=9&action=edit&frontend=false&new_meta_key=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E File landing-pages/modules/module.metaboxes-ab-testing.php
Line(s) 34
Code var new_meta_key = "";
Recommended fix var new_meta_key = "";
You should filter all user defined value with esc_arg/esc_url or htmlentities.
We would really appreciate it if you could support our work by recommending or help promoting our Wordpress security items.
You find some banners here: http://swte.ch/images/swiftsecurity/logos/
Our portfolio on CodeCanyon: http://codecanyon.net/user/swte/portfolio
If we can help you please don't hesitate to contact us!
Have a great day!
Regards James