lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 21 Jun 2021 09:41:45 +0200
From: Johannes Lauinger <johannes.lauinger@...s.de>
To: <fulldisclosure@...lists.org>
Subject: [FD] SYSS-2021-032 Admin Columns WordPress Plug-In - Persistent
 Cross-Site Scripting

Advisory ID:               SYSS-2021-032
Product:                   Admin Columns WordPress Plug-In
Manufacturer:              Codepress
Affected Version(s):       <5.5.2 (Pro version), <4.3.2 (Free version)
Tested Version(s):         5.5.1 (Pro version), 4.3 (Free version)
Vulnerability Type:        Cross-Site Scripting (CWE-79)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2021-05-28
Solution Date:             2021-06-18
Public Disclosure:         2021-06-21
CVE Reference:             CVE-2021-24365
Author of Advisory:        Johannes Lauinger, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Admin Columns is a WordPress plug-in, which allows creating tables of
data based on a custom columns configuration. The plug-in also allows
changing standard tables in the WordPress back end.

The manufacturer describes the product as follows (see [1]):

"Growing websites can become challenging to manage. Admin Columns helps
you to overcome this challenge. Create insightful overviews to easily
find, order, filter and update your content."

Due to missing escaping of HTML tags in columns of the type "Custom
Field", tables are vulnerable to persistent cross-site scripting
attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Admin Columns allows configuring individual columns for tables. Each
column has a type. The type "Custom Field" allows choosing an arbitrary
database column to display in the table. There is no escaping applied to
the contents of "Custom Field" columns.

When a "Custom Field" is used with a database column that can be
changed by attackers, JavaScript code can be injected. The code is
executed when the table is rendered. Tables can be rendered both in the
WordPress front end and back end, possibly compromising high-privileged
users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Create a custom field for WordPress users which allows storing HTML
    control characters. This can be done, e.g., with the "Advanced Custom
    Fields" plug-in [2].

2. Store "<img src=0 onerror=alert()>" in the custom field for any user.

3. Open the Admin Columns plug-in settings.

4. Choose the "Admin Columns" tab and select "Users" from the drop-down
    menu.

5. Click "Add Column", choose the type "Custom Field" and select the
    previously created custom field.

6. Open the user list in the WordPress back end. The JavaScript code
    will be executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update Admin Columns to at least version 5.5.2 (Pro version) or 4.3.2
(free version).

In earlier versions, do not use the "Custom Fields / Custom Field" type
when configuring columns in the Admin Columns plug-in settings.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-05-27: Vulnerability discovered
2021-05-28: Vulnerability reported to manufacturer
2021-06-18: Patch released by manufacturer
2021-06-21: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Admin Columns
     https://www.admincolumns.com
[2] Product website for Advanced Custom Fields
     https://www.advancedcustomfields.com
[3] SySS Security Advisory SYSS-2021-032
 
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-032.txt
[3] SySS Responsible Disclosure Policy
     https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Johannes Lauinger of SySS GmbH.

E-Mail: johannes.lauinger@...s.de
Public Key: 
https://www.syss.de/fileadmin/dokumente/PGPKeys/Johannes_Lauinger.asc
Key ID: 0xC4314DF622D60262
Key Fingerprint: 3F79 A293 AE08 0A92 65EB 25D2 C431 4DF6 22D6 0262

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-- 
Johannes Lauinger
IT Security Consultant

Pronomen: er, ihn, Herr
______________________________________________________________

SySS GmbH
Schaffhausenstraße 77, 72072 Tübingen, Germany
Tel: +49 (0)7071 - 40 78 56-6224
Mobil: +49 (0)151 - 29 23 56 39
E-Mail: johannes.lauinger@...s.de
Conf. Calls: https://syss.zoom.us/
Web: https://syss.de

PGP-Fingerprint: 3F79 A293 AE08 0A92 65EB  25D2 C431 4DF6 22D6 0262

Geschäftsführer: Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer: 86118 / 55809

Download attachment "OpenPGP_0xC4314DF622D60262.asc" of type "application/pgp-keys" (3156 bytes)

Download attachment "OpenPGP_signature" of type "application/pgp-signature" (841 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists