bookmark_borderWP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting

https://chevonphillip.com/wp-content/uploads/2020/07/3CX-WP-Live-Chat-XSS-1.mp4

There is a Stored Cross-Site Scripting (XSS) in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload.

https://wpvulndb.com/vulnerabilities/10303

bookmark_borderStored XSS – ImageBoss Plugin v.3.0.4 In WordPress v.5.4.1

Vulnerability Class: XSS | Vulnerable Product: ImageBoss v.3.0.4

What is ImageBoss?

Content-aware image resizing, cropping, compression, cache, and globally deliver. All web development best practices, hassle-free in one simple and powerful API.ImageBoss is a tool in the Image Processing and Management category of a tech stack.

Vulnerable Code

Settings.php contains a line of code that creates an input field and echo the value of the input back to the DOM with the following PHP code <?php echo get_option(‘ibup_imageboss_source’) ?> .

<input
        id="ibup_imageboss_source"
        name="ibup_imageboss_source"
        placeholder="mywordpress-images"
        style="width: 300px"
        value="<?php echo get_option('ibup_imageboss_source') ?>"
    /> <br /> <br />

Contents of the Settings.php File

<?php
function image_boss_settings() {
?>

<form method="post" action="options.php" id="image_boss_settings">
  <div class="wrap">
    <h2>ImageBoss</h2>

    <?php if (isset($_GET['settings-updated'])) { ?>
      <div class='updated'><p>You have successfully saved the settings.</p></div>
    <?php } ?>

    <h3>Step 1: Account</h3>
    <p>Create your <a href="https://imageboss.me/" target="_blank">ImageBoss Account</a>.</p>

    <h3>Step 2: Image Source</h3>
    <p>
      Connect ImageBoss to your images on <a target='_blank' href='https://imageboss.me/dashboard'>ImageBoss Dashboard</a> by adding your image source.
    </p>
    <?php settings_fields('imageboss-settings-group'); ?>

    <h3>Step 3: Source Name</h3>
    <p>This is the name you gave to your Image Source on Step 2.</p>
    <input
        id="ibup_imageboss_source"
        name="ibup_imageboss_source"
        placeholder="mywordpress-images"
        style="width: 300px"
        value="<?php echo get_option('ibup_imageboss_source') ?>"
    /> <br /> <br />
    <h3>Activate</h3>
    <input
      type="checkbox"
      id="ibup_imageboss_active"
      name="ibup_imageboss_active"

      value="true"
      <?php echo get_option('ibup_imageboss_active') ? 'checked' : '' ?>
    /> <label for="ibup_imageboss_active">If you have all set, check this box to activate ImageBoss on your images.</label>
    <h3>Advanced Configurations</h3>
    <p>By default ImageBoss will wrap all your images. If you don't want this to happen you can add bellow the hosts you want ImageBoss to intercept:</p>
      <textarea
        id="ibup_imageboss_hosts"
        name="ibup_imageboss_hosts"
        rows="4" cols="80"
      ><?php echo get_option('ibup_imageboss_hosts') ?></textarea> <br /> <br />
    <input type="submit" class="button-primary" value="Save Changes" />
  </form>

  </div> <br /> <br /> <br /> <br />
  <div>
    <h3>Useful Links</h3>
    <a class='button action' target='_blank' href='https://imageboss.me/pricing'>Create Account</a>
    <a class='button action' target='_blank' href='https://imageboss.me/dashboard'>ImageBoss Dashboard</a>
    <a class='button action' target='_blank' href='https://imageboss.me/docs'>ImageBoss Docs</a>
    <a class='button action' target='_blank' href='https://github.com/imageboss/imageboss-wordpress'>Plugin Documentation</a>
    <a class='button action' target='_blank' href='https://github.com/imageboss/imageboss-wordpress/issues'>Report a Bug</a>
  </div>
<?php
}

Exploit and Payload In Action

chevonphillip"><img src=x onerror=alert(1337);>"

Video PoC

https://chevonphillip.com/wp-content/uploads/2020/07/imageboss-3.0.4-xss.mp4

Recommended Fix

https://www.php.net/manual/en/filter.filters.sanitize.php

Vendor Fix

Thank you @igorescobar for fixing this bug in a timely manner.

https://github.com/imageboss/imageboss-wordpress/issues/2

https://plugins.trac.wordpress.org/browser/imageboss/trunk/admin/screens/settings.php?annotate=blame&rev=2302400


Timeline

  • 04/30/2020 – CVE requested from cve.mitre.org.
  • 04/30/2020 – Write-up created pending public disclosure.
  • 05/01/2020 – Reported Vulnerability to the vendor.
  • 05/01/2020 – Reported to WordPress Plugin Security Team.
  • 05/11/2020 – Reply from the vendor.
  • 05/11/2020 – Bug fixed in v.3.0.6.

bookmark_borderSub-Domain Takeovers — How Can Companies Better Secure Their Assets? Part 1

What are Sub-Domains?

For those of you who may not know what a sub-domain is here’s a brief description in my own words.

Sub-Domains are children to a parent domain or top-level domains (TLD). For example, https://example.com may have a sub-domain with the following URLs http://devlopment.server.example.com and http://staging.server.example.com.


Why do Sub-Domains exist?

There are several reasons why sub-domains are used. Here are some of the main reasons I have come across during my research.

  • CNAME (Canonical Name Record) — pointing to a third party service that includes WordPress, Pantheon, and GitHub Pages.
  • Hosting static resources — such as images, files, and other data that may not necessarily need to be hosted on a company’s internal servers. Services such as Amazon Web Services (AWS), Microsoft’s Azure, Google Cloud Engine, and Content Delivery Networks (CDNs).
  • Development and Staging Environments — creating sub-domains that point to servers that aren’t meant to be public or discovered by end-users or web crawlers.
  • API endpoints integrations — creating sub-domains that point to an API endpoint that is meant to serve RESTFUL data to and from applications.