Closed sahrulfatih closed 11 months ago
yes you can blacklist the access to wp-content/themes/onetone/includes/theme-functions.php
.
MainRule "str:wp-content/themes/onetone/includes/theme-functions.php" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:URL" "s:$XSS:8" id:123456;
change $XSS
based on your CheckRule
settings and give a better id than 123456
if you really need to get access to that fcn, you can also block post requests in the body that contains options
key.
i used curl command to perform XSS attack after adding already given naxsi rules and the result is still impenetrable. i am using ubuntu 18.04 as server and Kali Linux as attacker. what is the more appropriate naxsi rule to deal with this problem? Thanks for the response
depends. if the url is needed for loading the theme and must be called, then just block the post request by setting a rule on the body
MainRule "str:options" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:$URL:wp-content/themes/onetone/includes/theme-functions.php|BODY_RAW" "s:$XSS:8" id:123456;
something like this should work.
i do not know if your naxsi config works, etc..
@wargio
MainRule "str:options" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:$URL:wp-content/themes/onetone/includes/theme-functions.php|BODY_RAW" "s:$XSS:8" id:12312312;
after adding rules i got this error
change BODY_RAW
to RAW_BODY
after changing BODY_RAW to RAW_BODY in the second rule, the rule is correct. but the first rule has an error like the second rule.
MainRule "str:wp-content/themes/onetone/includes/theme-functions.php" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:URL" "s:$XSS:8" id:123456;
I tried changing the first rule to something like this
MainRule "str:/wp-content/themes/onetone/includes/theme-functions.php" "msg:OneTone XSS" "mz:$URL:/wp-content/themes/onetone/includes/theme-functions.php|RAW_BODY" "s:$XSS:8" id:123123127;
After combining those two naxsi rules and trying to do an attack using the curl command and the result is still impenetrable
MainRule "str:options" "msg:OneTone XSS" "mz:$URL:/wp-content/themes/onetone/includes/theme-functions.php|RAW_BODY" "s:$XSS:8" id:123123124;
MainRule "str:/wp-content/themes/onetone/includes/theme-functions.php" "msg:OneTone XSS" "mz:$URL:/wp-content/themes/onetone/includes/theme-functions.php|RAW_BODY" "s:$XSS:8" id:123123127;
On kali linux access to the
http://192.168.169.15/wp-admin/admin-ajax.php?action=onetone_options_import
URL can be opened in the browser
Import using browser
http://192.168.169.15/wp-admin/admin-ajax.php?action=onetone_options_import' --data 'options={"top_bar_info_content":"<script>alert(0)<\/script>","display_top_bar":"yes"}
oh wait. i just noticed that you call a different path than expected
MainRule "str:onetone_options_import" "msg:OneTone CVE-2019-17230, CVE-2019-17231" "mz:$URL:wp-admin/admin-ajax.php|ARGS" "s:$XSS:8" id:123456;
The url needs to be set to where the attacker is calling the fcn. in this case wp-admin/admin-ajax.php
or even better
MainRule "str:options" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123127;
import using the browser actually does nothing.
http://192.168.169.15/wp-admin/admin-ajax.php?action=onetone_options_import' --data 'options={"top_bar_info_content":"<script>alert(0)<\/script>","display_top_bar":"yes"}
But if using the curl command from the terminal, the command can still be executed successfully even after adding the rules.
MainRule "str:onetone_options_import" "msg:OneTone" "mz:$URL:wp-admin/admin-ajax.php|ARGS" "s:$XSS:8" id:12312326;
MainRule "str:options" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123127;
I added some other rules like this
MainRule "str:display_top_bar" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123128;
MainRule "str:/wp-admin/customize.php" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123129;
MainRule "str:onetone[display_top_bar]" "msg:OneTone XSS" "mz:$URL:wp-admin/admin-ajax.php|RAW_BODY" "s:$XSS:8" id:123123130;
I tried to edit the header after the attack then it looks like this. The curl command is actually very simple, which is to import the script and then display the Display Top Bar. if the Display Top Bar is changed to no then the attack will have no effect.
inspect view to see the id of the Display Top Bar
are you sure to have setup naxsi correctly?
Yes of course. I have tried the rules to block wpscan for enumeration of usernames and naxsi works fine to block wpscan. does the above rule work when you try it? i tried this way to install nginx with naxsi https://webdock.io/en/docs/how-guides/security-guides/how-secure-nginx-naxsi-firewall-ubuntu-1804-vps
maybe i have misconfigured naxsi. BTW Thankyou very much for your reply.. 👍
check if it is running from the logs. i would suggest to install the deb here https://github.com/nbs-system/naxsi/releases/tag/1.3 then just follow the release notes.
I'm a little confused by this configuration. https://webdock.io/en/docs/how-guides/security-guides/how-secure-nginx-naxsi-firewall-ubuntu-1804-vps How to remove all dynamic modules, add new arguement –add-module=/root/naxsi-master/naxsi_src/ and --sbin-path=/usr/sbin/nginx and add ./configure at the beginning of configure arguements.?
if you want to build it from sources, just follow the original tutorial https://github.com/nbs-system/naxsi/wiki/naxsi-compile#build-naxsi-as-a-dynamic-extension-for-nginx-from-your-distribution-package-ie-ubuntu
Thank you. very helpful. 👍
Can Naxsi overcome the XXS attack on the OneTone theme vulnerability.? and what is the proper naxsi rule to solve this problem?
https://blog.nintechnet.com/unauthenticated-stored-xss-vulnerability-in-wordpress-onetone-theme-unpatched/ https://wpscan.com/vulnerability/10165?__cf_chl_jschl_tk__=pmd_16639bd0448e7da00220028375a6511654281614-1628496648-0-gqNtZGzNAiKjcnBszQhi
Thanks.