nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

XSS vulnerability in WordPress OneTone theme #567

Closed sahrulfatih closed 11 months ago

sahrulfatih commented 3 years ago

Can Naxsi overcome the XXS attack on the OneTone theme vulnerability.? and what is the proper naxsi rule to solve this problem?

https://blog.nintechnet.com/unauthenticated-stored-xss-vulnerability-in-wordpress-onetone-theme-unpatched/ https://wpscan.com/vulnerability/10165?__cf_chl_jschl_tk__=pmd_16639bd0448e7da00220028375a6511654281614-1628496648-0-gqNtZGzNAiKjcnBszQhi

Thanks.

wargio commented 3 years ago

yes you can blacklist the access to wp-content/themes/onetone/includes/theme-functions.php.

MainRule  "str:wp-content/themes/onetone/includes/theme-functions.php" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:URL" "s:$XSS:8" id:123456;

change $XSS based on your CheckRule settings and give a better id than 123456

if you really need to get access to that fcn, you can also block post requests in the body that contains options key.

sahrulfatih commented 3 years ago

i used curl command to perform XSS attack after adding already given naxsi rules and the result is still impenetrable. image image i am using ubuntu 18.04 as server and Kali Linux as attacker. what is the more appropriate naxsi rule to deal with this problem? Thanks for the response

wargio commented 3 years ago

depends. if the url is needed for loading the theme and must be called, then just block the post request by setting a rule on the body

MainRule  "str:options" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:$URL:wp-content/themes/onetone/includes/theme-functions.php|BODY_RAW" "s:$XSS:8" id:123456;

something like this should work.

i do not know if your naxsi config works, etc..

sahrulfatih commented 3 years ago

@wargio

MainRule "str:options" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:$URL:wp-content/themes/onetone/includes/theme-functions.php|BODY_RAW" "s:$XSS:8" id:12312312;

after adding rules i got this error image

wargio commented 3 years ago

change BODY_RAW to RAW_BODY

sahrulfatih commented 3 years ago

after changing BODY_RAW to RAW_BODY in the second rule, the rule is correct. but the first rule has an error like the second rule. MainRule "str:wp-content/themes/onetone/includes/theme-functions.php" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:URL" "s:$XSS:8" id:123456; image I tried changing the first rule to something like this MainRule "str:/wp-content/themes/onetone/includes/theme-functions.php" "msg:OneTone XSS" "mz:$URL:/wp-content/themes/onetone/includes/theme-functions.php|RAW_BODY" "s:$XSS:8" id:123123127;

After combining those two naxsi rules and trying to do an attack using the curl command and the result is still impenetrable MainRule "str:options" "msg:OneTone XSS" "mz:$URL:/wp-content/themes/onetone/includes/theme-functions.php|RAW_BODY" "s:$XSS:8" id:123123124; MainRule "str:/wp-content/themes/onetone/includes/theme-functions.php" "msg:OneTone XSS" "mz:$URL:/wp-content/themes/onetone/includes/theme-functions.php|RAW_BODY" "s:$XSS:8" id:123123127;

On kali linux access to the http://192.168.169.15/wp-admin/admin-ajax.php?action=onetone_options_import URL can be opened in the browser image Import using browser http://192.168.169.15/wp-admin/admin-ajax.php?action=onetone_options_import' --data 'options={"top_bar_info_content":"<script>alert(0)<\/script>","display_top_bar":"yes"} image

wargio commented 3 years ago

oh wait. i just noticed that you call a different path than expected

MainRule "str:onetone_options_import" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:$URL:wp-admin/admin-ajax.php|ARGS" "s:$XSS:8" id:123456;

The url needs to be set to where the attacker is calling the fcn. in this case wp-admin/admin-ajax.php

wargio commented 3 years ago

or even better

MainRule "str:options" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123127;
sahrulfatih commented 3 years ago

import using the browser actually does nothing. http://192.168.169.15/wp-admin/admin-ajax.php?action=onetone_options_import' --data 'options={"top_bar_info_content":"<script>alert(0)<\/script>","display_top_bar":"yes"} image

But if using the curl command from the terminal, the command can still be executed successfully even after adding the rules. MainRule "str:onetone_options_import" "msg:OneTone" "mz:$URL:wp-admin/admin-ajax.php|ARGS" "s:$XSS:8" id:12312326; MainRule "str:options" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123127; I added some other rules like this MainRule "str:display_top_bar" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123128; MainRule "str:/wp-admin/customize.php" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123129; MainRule "str:onetone[display_top_bar]" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123130; image

I tried to edit the header after the attack then it looks like this. The curl command is actually very simple, which is to import the script and then display the Display Top Bar. if the Display Top Bar is changed to no then the attack will have no effect. image

inspect view to see the id of the Display Top Bar image

wargio commented 3 years ago

are you sure to have setup naxsi correctly?

sahrulfatih commented 3 years ago

Yes of course. I have tried the rules to block wpscan for enumeration of usernames and naxsi works fine to block wpscan. does the above rule work when you try it? i tried this way to install nginx with naxsi https://webdock.io/en/docs/how-guides/security-guides/how-secure-nginx-naxsi-firewall-ubuntu-1804-vps

sahrulfatih commented 3 years ago

maybe i have misconfigured naxsi. BTW Thankyou very much for your reply.. 👍

wargio commented 3 years ago

check if it is running from the logs. i would suggest to install the deb here https://github.com/nbs-system/naxsi/releases/tag/1.3 then just follow the release notes.

sahrulfatih commented 3 years ago

I'm a little confused by this configuration. https://webdock.io/en/docs/how-guides/security-guides/how-secure-nginx-naxsi-firewall-ubuntu-1804-vps image How to remove all dynamic modules, add new arguement –add-module=/root/naxsi-master/naxsi_src/ and --sbin-path=/usr/sbin/nginx and add ./configure at the beginning of configure arguements.?

wargio commented 3 years ago

if you want to build it from sources, just follow the original tutorial https://github.com/nbs-system/naxsi/wiki/naxsi-compile#build-naxsi-as-a-dynamic-extension-for-nginx-from-your-distribution-package-ie-ubuntu

sahrulfatih commented 3 years ago

Thank you. very helpful. 👍