It’s Not You. It’s Them. On Hacking and Responsible Disclosure.

A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But I’m a cybersecurity professional, I run a team that has the ability to hack into any system they take an interest in, and I’ve studied cybersecurity ethics and am familiar with the consequences of hacking in 2021. I’m also aware of the fallibility of humans. So I was obliged to reply on HN.

The short version is this: In the United States, hacking crimes are governed by the CFAA – the Computer Fraud and Abuse Act. The criminal penalties are extremely harsh, and many cybercrimes are handled in federal court. If you do access a computer system without authorization, or exceed the authorization you have been given – which are both criminal offenses under CFAA – you’ve given yourself a pretty good shot at ruining your life. Being charged with a crime and having to deal with court dates is stressful enough. Even if you’re lucky to get probation, you still have a criminal record which severely limits your job opportunities and travel options.

Responsible disclosure is challenging enough. But actually hacking systems – even if you think you’re being playful – can lead to disaster. As I said in my comment: “Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board, or management team to trigger a disastrous outcome in stories like this.

For the most part, my comment on HN was upvoted and supported in the replies. But I did get a certain amount of pushback. And wouldn’t you know it, in the news this morning is a fine example of the kind of idiocy out there that demonstrates why researchers and explorers need to be very careful to avoid violating the CFAA.

A journalist at the St Louis Post Dispatch discovered a data disclosure issue with a website that allowed the public to look up teacher credentials. Encoded in the HTML source code of the site were the social security numbers of teachers, counselors, and administrators. It’s worth noting that the data was encoded, not encrypted, which means it was easily readable by any attacker or software developer.

The St Louis Post Dispatch and their journalist did exactly the right thing: They confidentially disclosed the issue to the website operator. The website operator fixed the problem. And then St Louis Post Dispatch disclosed the details in an article, which is exactly how the cybersecurity industry works. That final disclosure step is so that the public has full transparency on the issue – in other words, teachers should know that their socials were exposed. And so that other researchers, vendors, and operations staff can learn from this mistake.

What should have happened at this point? Nothing. Because absolutely nothing was awry. The discovery helped secure a system. The journalist never breached any cybersecurity ethical boundaries. The school system has a more secure website. Apparently, that wasn’t enough for Missouri Governor Mike Parson who has announced that the Cole County Prosecutor and the Missouri Highway Patrol [I’m not joking] will investigate the matter.

And the governor is rolling out the red carpet. Extracts from his statement: “We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved. We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them. This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies.

All because a journalist spotted that social security numbers were easily accessible in HTML source code, responsibly disclosed the issue, and helped secure the school system, exactly the way every ethical and responsible cybersecurity organization on this planet operates.

Let’s revisit the school hacking story I started with. What you have here is exactly what I warned folks about just days ago. An embarrassed governor and embarrassed school administrators are framing this as a malicious act to try to protect their reputations. And they have the full force of the CFAA to back them up. They’re most likely going to try to frame reading HTML source code as accessing a system beyond the authorization given, which is a crime under the CFAA.

So if you are a cybersecurity researcher or simply curious and love exploring our global Internet, please be careful. Read the Wikipedia entry for the CFAA so that you understand it. The Responsible Disclosure article on Wikipedia is also a great start. Every major cybersecurity certification also contains a section on ethics, so consider gaining a Security+, CEH, CISSP, or similar. After working in ops and development for over 20 years, I became a CISSP and even with my experience and knowledge, I found that I have benefited greatly from the certification.

Understand that responsible disclosure is still very much an industry insider concept. People who operate systems and their employers are often unsophisticated and uneducated in the field of cybersecurity – and they are human and are easily embarrassed. It’s very tempting for them to shoot the messenger, even when the messenger delivers the bad news within a globally accepted framework.

And when it comes to hacking your school network or other systems that you don’t have the authorization to hack? Don’t do it. We aren’t living in the 80s or early 90s anymore, where hackers are seen as adorable Matthew Broderick characters from the movie Wargames. When Kevin Mitnick was hunted down by Janet Reno for over 2 years, under the Clinton Administration in 1995, and eventually arrested, the game changed. Hackers were rebranded as evil, malicious, dangerous, and bound for prison, and Kevin was sentenced to 5 years. In South Africa where I was “exploring”, my friends started getting raided, one was arrested, and I was fortunate enough to only get a nasty letter. Childhood’s end had arrived for cybersecurity.

If you’re a researcher, take care, even when disclosing responsibly. If you think you’re being playful by accessing systems you’re not allowed to, or exceeding the access you’ve been given, stop. Back away from the keyboard. And sign up for a cybersecurity certification that will give you opportunities to do the kind of exploring you want to do, legally, and will teach you about the ethical frameworks that our industry has. And give your adventurous friends and family the same advice.

It’s not you. It’s them.

Mark Maunder – Defiant Inc Founder & CEO. (We make Wordfence)

The post It’s Not You. It’s Them. On Hacking and Responsible Disclosure. appeared first on Wordfence.

Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On August 19, 2021, the Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy – Page Builder, a WordPress plugin installed on over 90,000 sites.

During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack. This led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced.

Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover, including a combination that allowed any logged-in user to modify any published post and add malicious JavaScript to it, as well as a separate flaw that allowed any logged-in user to upload potentially executable files and achieve remote code execution.

We received a response to our initial disclosure and sent over the full disclosure the same day, on August 19, 2021. A patched version of the Brizy – Page Builder plugin, 2.3.12, was released on August 24, 2021. As per our responsible disclosure policy, we are now disclosing the vulnerability details as the plugin has been fully patched for some time.

All Wordfence users, including Wordfence Premium users as well as those using the free version, are protected by a combination of our built-in firewall rules and an existing firewall rule released in June of 2020, which covered a similar vulnerability in a previous version of Brizy – Page Builder.

The original vulnerability was patched in version 1.0.126, but an almost identical vulnerability was reintroduced in version 1.0.127.

We strongly recommend updating to the latest version available, 2.3.17, as soon as possible, especially if you are not running Wordfence.


Description: Incorrect authorization checks allowing Post modification
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Plugin Developer: Brizy.io
Affected Versions: <= 1.0.125 and 1.0.127 – 2.3.11
CVE ID: CVE-2021-38345
CVSS Score: 7.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12

The Brizy – Page Builder plugin used the Brizy_Editor::is_administrator and Brizy_Editor_User:is_administrator functions for a wide variety of authorization checks, and any user that passed one of these checks was assumed to be an administrator, effectively bypassing almost all of the other capability checks used in the plugin. Unfortunately, due to a logic flaw, being logged in and accessing any endpoint in the wp-admin directory was sufficient to pass this check due to the use of the is_admin() function for authorization checking.

	public static function is_administrator() {

		if ( ! is_user_logged_in() ) {
			return false;
		}

		return is_admin() || is_super_admin();
	}

This meant that all logged-in users, even subscribers, were allowed to modify any post or page that had been created or edited with the Brizy editor, even if it had already been published. This logic flaw was identical to the one patched in version 1.0.126 and was reintroduced in version 1.0.127, though only Brizy_Editor::is_administrator existed in versions prior to 1.0.127.

While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.


Description: Authenticated Stored Cross-Site Scripting
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Plugin Developer: Brizy.io
Affected Versions: <= 2.3.11
CVE ID: CVE-2021-38344
CVSS Score: 6.4(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12

While the Brizy – Page Builder plugin does not offer a direct way for lower-privileged users such as contributors to add JavaScript to page content, it was possible for a lower-privileged user to modify a request sent to update a page via the brizy_update_item AJAX action by adding JavaScript to the data parameter. The added JavaScript would then be be executed if the post was viewed or previewed by another user, such as an administrator.

Thanks to the authorization check vulnerability, even the lowest-privileged users, such as subscribers, could add malicious JavaScript to any page, allowing them to take over a site. JavaScript running in an administrator’s session could allow an attacker to perform actions such as adding a new administrative user, escalating the privileges of an existing user, or adding backdoor functionality to existing plugin or theme files.

While exploiting this as a subscriber-level user did require submitting a request containing valid hash and editor-version parameters, these are echoed out on dashboard pages accessible to subscribers. The only parameter an attacker would need to guess when modifying a page was the dataVersion parameter, an incrementing integer starting at 1 which could easily be guessed in seconds with a few repeated requests.


Description: Authenticated File Upload and Path Traversal
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Plugin Developer: Brizy.io
Affected Versions: <= 2.3.11
CVE ID: CVE-2021-38346
CVSS Score: 8.8(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12

Thanks to the authorization check vulnerability, it was also possible for subscriber-level users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action.

A malicious user could provide a filename of their choice using the id parameter, and populate the file contents via the ibsf parameter, which would be base64-decoded and written to the file.

While the plugin appended .jpg to all uploaded filenames, a double extension attack was also possible. For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.

By supplying a file with a .php extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover.

Timeline

June 11, 2020 – We become aware of a vulnerability in the Brizy – Page Builder and release a firewall rule to Wordfence Premium users.
July 11, 2020 – The firewall rule becomes available to all Wordfence users.


 

August 19, 2021 – Wordfence Threat Intelligence finishes an investigation of the Brizy – Page Builder plugin prompted by our review of traffic to the firewall rule. We initiate the disclosure process, receive a response from the plugin developer, and send over full disclosure.
August 25, 2021 – A patched version, 2.3.12, is released.

Conclusion

In today’s article, we discussed three vulnerabilities in the Brizy – Page Builder plugin, including an access control vulnerability that enabled a stored XSS vulnerability and an arbitrary file upload vulnerability, either of which could be used to take over a site.

All Wordfence users, including Wordfence Premium users as well as those still using the free version of Wordfence, have been protected against these vulnerabilities since 2020. Nonetheless, we strongly recommend updating to the latest version of Brizy available, 2.3.17, especially if you do not use the Wordfence plugin.

If your site has been compromised as a result of this or any other vulnerability, we offer Professional Site Cleaning services to help undo the damage. If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to complete site takeover.

The post Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover appeared first on Wordfence.

Wordfence Helps Enable Education in Uganda

I want to share something very exciting and truly wonderful with you all today. Wordfence just completed a project where we partnered with Far Away Friends, a Denver-based non-profit working in partnership with local leaders in Uganda, to bring light and electricity to a school campus in a remote area of Uganda called Namasale. 

I’d like you to watch the video below, because it gives you a real sense of the transformation that has happened in Namasale thanks to this project and thanks to your help. Then scroll down for the full story. 

As you already know, our business is security. Wordfence, allows you to run your business on WordPress, with the knowledge that your customers and your investment are safe and secure.

We believe that security extends beyond the internet. No matter where you are, everyone has the right to feel secure, and to be secure. We believe that access to education is the most fundamental way to enable security for individuals, families, and communities. 

When we learned about Far Away Friends, whose mission is to improve the lives of children in rural Uganda by providing access to education, we knew we wanted to get involved. Given that our expertise is in cybersecurity, and not in education in developing countries, we knew that our first step would be to listen and to learn. 

Far Away Friends was established to aid the children of Uganda, whose history is that of decades-long civil war, combined with an HIV crisis. We feel that the mission of Far Away Friends, to educate Ugandan children in partnership with local leaders, is one that is extremely impactful and important. 

Far Away Friends is based in the Amolatar District, which is one of the most geographically isolated regions of Uganda, until a ferry was built in 2013. Because of its rural location, children in this region have been historically deprived of access to quality education. In 2016, Far Away Friends opened Global Leaders Primary (GLP) in Namasale, a town in Amolatar district, to provide primary education to children in the area. 

Since 2018, 100% of the students at GLP have graduated and passed their Primary Leaving Exams in the top two highest divisions. GLP has graduated 90 students, has 250 current students, and already expects 600 new students over the next few years.

Far Away Friends has achieved much with limited resources, and we wanted to know how we could help. The founders, Jayme and Collines, explained to us that GLP only had two classrooms with access to electricity, and the access they had was limited. We considered how much more they could achieve with access to electricity for classrooms, dormitories, a computer lab and a clinic.

We decided to dedicate ourselves to providing GLP with fully functioning and sustainable electricity throughout the school. With Wordfence investing in a solar installation at GLP, it would significantly accelerate the positive change that Far Away Friends is creating. 

It was important to us that we contribute to the local Ugandan economy by hiring local suppliers. We evaluated several suppliers and selected GreenMax, an electrical contractor based in Lira, Uganda. 

GreenMax made several trips to and from Namasale to quote the project scope and to ensure the required materials were on-site. After weeks of work, Greenmax installed 5 solar systems in Ingrid Hall (girls’ dormitory), Dylan Hall (boys’ dormitory), the classrooms and computer lab block, the clinic and office block, and the teachers’ quarters.

After the work was done, TechNugget, a Solar Systems Monitoring & Evaluation company, came to review the work and provided us with a stellar report, confirming that GreenMax had done a great job. 

With these added solar systems, children are now able to get ready for school in well-lit dormitories, walk to school on a safe and well-lit path thanks to the security lights, and be educated in a classroom with bright lights and electrical outlets for equipment like computers. The teachers are also now able to expand their lesson plans with the use of computers and lights, no matter what time of the day school is in session.

If you’re interested in seeing the work done, please watch the video above. We hired Malaika, a local Uganda-based film crew, who captured this incredible footage of Namasale and of GLP and its students and teachers, and we are very proud of the outcome. 

Our goal in collaborating with Far Away Friends and our Uganda partners is to continue and to help accelerate the work that Far Away Friends began, and to create an effective learning environment for the next generation in Uganda. The completion of this solar and electrical project is a big step in that direction. 

You should feel proud too because your support of Wordfence is what enabled this project, so we thank you for being part of this incredible outcome and for your contribution.

Technical Data 

For those of you who are technically minded, we’re including the specifications of the solar installation at GLP. This includes the capacity of items like batteries, inverters, solar panels and quantities. The linked PDF also includes selected photos of the installation. 

Click here to view a PDF that contains the specifications of the GLP solar installation. 

If you’re interested in learning more about Far Away Friends and how you can help support them, visit: https://www.farawayfriends.org/.

If you’re interested in learning more about Wordfence, visit: www.wordfence.com

Thanks,

Mark Maunder

The post Wordfence Helps Enable Education in Uganda appeared first on Wordfence.

High Severity Vulnerability Patched in Access Demo Importer Plugin

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 sites. This flaw made it possible for authenticated attackers with just subscriber level access to upload arbitrary files that could be used to achieve remote code execution. On sites with open registration, an anonymous user could easily register and exploit this vulnerability.

We initially attempted to reach out to the plugin vendor on August 9, 2021 and made a few additional attempts to get in contact with the vendor over the next few weeks. As the vendor failed to respond after 2 weeks despite multiple contact attempts, we escalated the issue to the WordPress.org plugins team. The plugins team responded immediately and closed the plugin for downloads on August 27, 2021, pending a full review. A partially patched version of the plugin was reopened for downloads around September 7, 2021. After following up with the developer and the WordPress plugins team, a fully patched version of the plugin was released on September 21, 2021.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 9, 2021. Sites still using the free version of Wordfence received the same protection on September 8, 2021. As per our responsible disclosure policy, we are now fully disclosing the vulnerability details because enough time has elapsed since the fix was released.

If you have not already done so, we strongly recommend updating the latest version of the plugin available, 1.0.7, as soon as possible to ensure your site is not vulnerable to this security issue.


Description: Authenticated Arbitrary File Upload
Affected Plugin: Access Demo Importer
Plugin Slug: access-demo-importer
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-39317
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 1.0.7

Access Demo Importer is a plugin designed to import demo content for themes developed by AccessPress Themes. The importer functionality will import everything from content and photos, to plugins required to optimize a site’s functionality. One feature the plugin integrated was the ability to install plugins that are hosted outside of the WordPress.org repository during an import. Unfortunately, this functionality was insecurely implemented, making it possible for authenticated users to upload arbitrary files.

The plugin registers the wp_ajax_plugin_offline_installer AJAX action, which is tied to the plugin_offline_installer_callback function. This function takes the supplied file_location, which could be any external URL to a ZIP file, along with the other specifying parameters like slug, class_name, and file, and then retrieves the file’s contents and extracts the ZIP file to the plugins directory.

		public function plugin_offline_installer_callback() {
			$plugin = array();

			$file_location = $plugin['location'] = isset( $_POST['file_location'] ) ? sanitize_text_field( wp_unslash( $_POST['file_location'] ) ) : '';
			$file 			= isset( $_POST['file'] ) ? sanitize_text_field( wp_unslash( $_POST['file'] ) ) : '';
			$host_type 		= isset( $_POST['host_type'] ) ? sanitize_text_field( wp_unslash( $_POST['host_type'] ) ) : '';
			$plugin_class 	= $plugin['class'] = isset( $_POST['class_name'] ) ? sanitize_text_field( wp_unslash( $_POST['class_name'] ) ) : '';
			$plugin_slug 	= $plugin['slug'] = isset( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';
			$plugin_directory = WP_PLUGIN_DIR;

			$plugin_file = $plugin_slug . '/' . $file;

			if( $host_type == 'remote' ) {
				$file_location = $this->get_local_dir_path($plugin);
			}

			$zip = new ZipArchive();
			if ($zip->open($file_location) === TRUE) {
			    $zip->extractTo($plugin_directory);
			    $zip->close();

			    activate_plugin($plugin_file);

			    if( $host_type == 'remote' ) {
		    		unlink($file_location);
		    	}

			    echo 'success';

				die();
			} else {
			    echo 'failed';
			}

			die();
		}

Unfortunately, this function had no capability check, nor any nonce checks, which made it possible for authenticated users with minimal permissions, like subscribers, to install a zip file as a “plugin” from an external source. This “plugin” zip file could contain malicious PHP files, including webshells, that could be used to achieve remote code execution once extracted and ultimately be used to completely take over a site.

Disclosure Timeline

August 9, 2021 – Conclusion of the plugin analysis that led to the discovery of an arbitrary file upload vulnerability in the Access Demo Importer WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users. We make an initial contact attempt with the plugin’s vendor.
August 10, 2021 – We discover an additional method to contact the plugin’s vendor and send another initial contact message.
August 18, 2021 – After no response, we attempt to reach out to the vendor again via a different contact.
August 27, 2021 – Due to no response, we reach out to the WordPress plugins teams and send over full disclosure details. The plugin is temporarily closed for downloads on the same day.
September 7, 2021 – The plugin is reopened for downloads containing a partial patch for the vulnerability. We attempt to reach out to the vendor, who responded to us after the WordPress.org team got in contact with them, to inform them that the plugin is still missing capability checks.
September 8, 2021 – Wordfence free users receive the firewall rule.
September 20, 2021 – We follow-up with the WordPress plugins team after no response from the developer again. They respond and let us know that they have informed the developer about the missing capability checks.
September 21, 2021 – A fully patched version of the plugin is released as version 1.0.7.

Conclusion

In today’s post, we detailed a flaw in Access Demo Importer that granted authenticated attackers the ability to upload arbitrary files, allowing them to perform remote code execution. This flaw was fully patched in version 1.0.7. We recommend that WordPress users immediately update to the latest version available, which is version 1.0.7 at the time of this publication.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 9, 2021. Sites still using the free version of Wordfence received the same protection on September 8, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post High Severity Vulnerability Patched in Access Demo Importer Plugin appeared first on Wordfence.

PHP_SELFish Part 2 – Reflected XSS in Easy Social Icons

Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the PHP_SELF variable. In yesterday’s post, we described another plugin, underConstruction, suffering from a similar vulnerability related to the use of PHP_SELF.

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations.

After 2 weeks without a response, we forwarded the issue to the WordPress plugins team on August 30, 2021. An initial patch, version 3.0.9, was released the next day, on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

Newer versions of the plugin also contain patches for additional XSS vulnerabilities, and all Wordfence users are protected against these vulnerabilities by our firewall’s built-in XSS protection. If you’re not using Wordfence, we recommend that you immediately upgrade to version 3.1.3 of the Easy Social Icons plugin.


Description: Reflected Cross-Site Scripting
Affected Plugin: Easy Social Icons
Plugin Slug: easy-social-icons
Affected Versions: <= 3.0.8
CVE ID: CVE-2021-39322
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.3

The Easy Social Icons plugin options page contained a JavaScript designed to display a confirmation dialog when a user deleted an icon, and then redirect them to a URL that would perform the final deletion. It constructed this URL using the value of the  $_SERVER['PHP_SELF'] variable. This differs slightly from yesterday’s vulnerability, which used $GLOBALS[‘PHP_SELF’].

			function show_confirm(title, id)
			{
				var rpath1 = "";
				var rpath2 = "";
				var r=confirm('Are you confirm to delete "'+title+'"');
				if (r==true)
				{
					rpath1 = '<?php echo $_SERVER['PHP_SELF'].'?page=cnss_social_icon_page'; ?>';
					rpath2 = '&cnss-delete=y&id='+id;
					window.location = rpath1+rpath2;
				}
			}

The primary difference between $GLOBALS and $_SERVER is that $_SERVER is a built-in PHP “superglobal” variable that holds values provided by the webserver (such as Apache or Nginx) while $GLOBALS is a built-in PHP variable that holds the contents of all of PHP’s “superglobal” variables, including $_GET and $_POST, as well as the contents of $_SERVER.

As with yesterday’s vulnerability, sites running Apache and modPHP store additional path information after the filename in PHP_SELF by default, which means an attacker can add malicious JavaScript to the path itself. Since PHP_SELF was echoed out in quotes inside an existing JavaScript, however, it was also necessary to close the existing script tag in order to exploit this vulnerability, e.g:

<siteURL>/wp-admin/admin.php//index"/></script><script>alert(/xss/);</script>?page=cnss_social_icon_page

While sites running on Apache+modPHP, which is an extremely common configuration, are most likely to be vulnerable, other configurations may be vulnerable as well depending on how they have been set up.

As with most reflected XSS vulnerabilities impacting WordPress, a crafted link could be used to execute JavaScript in an administrator’s session, which could be used to take over a site by adding a backdoor to a plugin or theme file or adding a malicious admin user.

Timeline

August 16, 2021 – Wordfence Threat Intelligence finds the vulnerability and attempts to contact the plugin developer. We release a firewall rule to protect Wordfence Premium users.
August 30, 2021 – After 2 weeks without a response we contact the WordPress plugins team.
August 31, 2021– A patched version of the plugin is made available.
September 15, 2021 – Sites running the free version of Wordfence receive the firewall rule.

Conclusion

In today’s article, we covered a reflected Cross-Site Scripting(XSS) vulnerability in the Easy Social Icons plugin which could be used to execute malicious JavaScript in an administrator’s session and take over a site.

Wordfence Premium users have been protected against this vulnerability since August 16, 2021. Sites still running the free version of Wordfence received the same protection on September 15, 2021. We strongly recommend updating to the latest version available, 3.1.3, as soon as possible, as it also contains additional fixes, though the Wordfence Firewall blocks exploitation of these additional vulnerabilities via its built-in XSS protection.

If you believe your site has been compromised as a result of this or any other attack, Wordfence offers professional Site Cleaning services. Our Security Analysts remove any malware found, and also determine the intrusion vector if possible, as well as providing recommendations to prevent future infections.

If anyone you know is using the Easy Social Icons plugin, please forward this article to them and encourage them to update. If you’d like to be alerted when we publish new threat research, you can join our mailing list on this page.

The post PHP_SELFish Part 2 – Reflected XSS in Easy Social Icons appeared first on Wordfence.

PHP_SELFish Part 1 – Reflected XSS in underConstruction Plugin

Today’s post is part one of a two part blog post. It describes a cross site scripting vulnerability that exploits the PHP_SELF variable. Tomorrow we will publish part two, which describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF. So be sure to look out for that post via our mailing list, which you can join on this page, in case you’re not already a member.

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations.

After 2 weeks without a response, we forwarded the issue to the WordPress plugins team on August 30, 2021. A patched version, 1.19, was released the next day, on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

If you aren’t running Wordfence, and are a user of this plugin, we recommend you immediately upgrade to version 1.19 of underConstruction which contains the patch.


Description: Reflected Cross-Site Scripting
Affected Plugin: underConstruction
Plugin Slug: underconstruction
Affected Versions: <= 1.18
CVE ID: CVE-2021-39320
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.19

The underConstruction plugin options page contained a settings form which echoed out the value of the  $GLOBALS['PHP_SELF'] variable as its submission target.

		<form method="post"
			action="<?php echo $GLOBALS['PHP_SELF'] . '?page=' . $this->mainOptionsPage; ?>"
			id="ucoptions">

PHP_SELF stores the path of the currently running script, so it’s a simple way to get a form to submit to itself. Sites running Apache and modPHP store additional path information after the filename in PHP_SELF by default, for example, examplesite.com/index.php/extrapath. Unfortunately this meant that JavaScript could be added to the path itself, for example:

<siteURL>/wp-admin/admin.php//index"/><svg/onload=alert(/xss/)>?page=under-construction

 

If an attacker was able to trick an administrator into clicking a crafted link, it could be used to execute JavaScript in that administrator’s session, which could be used to add a malicious admin user, or install a backdoor on the site, leading to site takeover.

Sites running Nginx or Apache+PHP-FPM do not store the additional path information required for the vulnerability to work by default, but some shared hosting providers may enable this functionality for compatibility with other software.

Timeline

August 16, 2021 – Wordfence Threat Intelligence finds the vulnerability and attempts to contact the plugin developer. We release a firewall rule to protect Wordfence Premium users.
August 30, 2021 – After 2 weeks without a response we contact the WordPress plugins team.
August 31, 2021– A patched version of the plugin is made available.
September 15, 2021 – Sites running the free version of Wordfence receive the firewall rule.

Conclusion

In today’s article, we covered a reflected Cross-Site Scripting(XSS) vulnerability in the underConstruction plugin which could be used to execute malicious JavaScript in an administrator’s session and take over a site. While XSS vulnerabilities targeting PHP_SELF are no longer as common as they were in the past due to growing use of best practices, such as escaping output and using built-in WordPress functions to securely save options, they can still be found from time to time.

During the research that led us to this vulnerability, we found a second, similar vulnerability in another plugin with over 40,000 installations, which we’ll cover in more detail in tomorrow’s post.

Wordfence Premium users have been protected against this vulnerability since August 16, 2021. Sites still running the free version of Wordfence received the same protection on September 15, 2021. Nonetheless we strongly recommend updating to the latest version available, 1.19, as soon as possible.

If you believe your site has been compromised as a result of this or any other attack, Wordfence offers professional Site Cleaning services. Our Security Analysts remove any malware found, and also determine the intrusion vector if possible, as well as providing recommendations to prevent future infections.

If anyone you know is using the underConstruction plugin, please forward this article to them and encourage them to update.

The post PHP_SELFish Part 1 – Reflected XSS in underConstruction Plugin appeared first on Wordfence.

Pin It on Pinterest