Multiple Stored Cross-Site Scripting within SendPress Newsletter Settings due to improper input sanitation.
The vulnerable fields are:
- From Name
- From Email
- Where to send Test Email
Category: Writeup
bookmark_borderNewsletter < 6.7.7 - Authenticated Stored Cross-Site Scripting
An Authenticated Stored Cross-Site Scripting (XSS) was discovered within the Company Info “Motto” field. When creating a new newsletter using an empty template with the header module, the XSS would execute.
bookmark_borderWP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting
There is a Stored Cross-Site Scripting (XSS) in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload.
bookmark_borderStored XSS – ImageBoss Plugin v.3.0.4 In WordPress v.5.4.1
Vulnerability Class: XSS | Vulnerable Product: ImageBoss v.3.0.4
What is ImageBoss?
Content-aware image resizing, cropping, compression, cache, and globally deliver. All web development best practices, hassle-free in one simple and powerful API.ImageBoss is a tool in the Image Processing and Management category of a tech stack.
Vulnerable Code
Settings.php contains a line of code that creates an input field and echo the value of the input back to the DOM with the following PHP code <?php echo get_option(‘ibup_imageboss_source’) ?> .
<input
id="ibup_imageboss_source"
name="ibup_imageboss_source"
placeholder="mywordpress-images"
style="width: 300px"
value="<?php echo get_option('ibup_imageboss_source') ?>"
/> <br /> <br />Contents of the Settings.php File
<?php
function image_boss_settings() {
?>
<form method="post" action="options.php" id="image_boss_settings">
<div class="wrap">
<h2>ImageBoss</h2>
<?php if (isset($_GET['settings-updated'])) { ?>
<div class='updated'><p>You have successfully saved the settings.</p></div>
<?php } ?>
<h3>Step 1: Account</h3>
<p>Create your <a href="https://imageboss.me/" target="_blank">ImageBoss Account</a>.</p>
<h3>Step 2: Image Source</h3>
<p>
Connect ImageBoss to your images on <a target='_blank' href='https://imageboss.me/dashboard'>ImageBoss Dashboard</a> by adding your image source.
</p>
<?php settings_fields('imageboss-settings-group'); ?>
<h3>Step 3: Source Name</h3>
<p>This is the name you gave to your Image Source on Step 2.</p>
<input
id="ibup_imageboss_source"
name="ibup_imageboss_source"
placeholder="mywordpress-images"
style="width: 300px"
value="<?php echo get_option('ibup_imageboss_source') ?>"
/> <br /> <br />
<h3>Activate</h3>
<input
type="checkbox"
id="ibup_imageboss_active"
name="ibup_imageboss_active"
value="true"
<?php echo get_option('ibup_imageboss_active') ? 'checked' : '' ?>
/> <label for="ibup_imageboss_active">If you have all set, check this box to activate ImageBoss on your images.</label>
<h3>Advanced Configurations</h3>
<p>By default ImageBoss will wrap all your images. If you don't want this to happen you can add bellow the hosts you want ImageBoss to intercept:</p>
<textarea
id="ibup_imageboss_hosts"
name="ibup_imageboss_hosts"
rows="4" cols="80"
><?php echo get_option('ibup_imageboss_hosts') ?></textarea> <br /> <br />
<input type="submit" class="button-primary" value="Save Changes" />
</form>
</div> <br /> <br /> <br /> <br />
<div>
<h3>Useful Links</h3>
<a class='button action' target='_blank' href='https://imageboss.me/pricing'>Create Account</a>
<a class='button action' target='_blank' href='https://imageboss.me/dashboard'>ImageBoss Dashboard</a>
<a class='button action' target='_blank' href='https://imageboss.me/docs'>ImageBoss Docs</a>
<a class='button action' target='_blank' href='https://github.com/imageboss/imageboss-wordpress'>Plugin Documentation</a>
<a class='button action' target='_blank' href='https://github.com/imageboss/imageboss-wordpress/issues'>Report a Bug</a>
</div>
<?php
}Exploit and Payload In Action
chevonphillip"><img src=x onerror=alert(1337);>"
Video PoC
Recommended Fix
https://www.php.net/manual/en/filter.filters.sanitize.php
Vendor Fix
Thank you @igorescobar for fixing this bug in a timely manner.
https://github.com/imageboss/imageboss-wordpress/issues/2
Timeline
- 04/30/2020 – CVE requested from cve.mitre.org.
- 04/30/2020 – Write-up created pending public disclosure.
- 05/01/2020 – Reported Vulnerability to the vendor.
- 05/01/2020 – Reported to WordPress Plugin Security Team.
- 05/11/2020 – Reply from the vendor.
- 05/11/2020 – Bug fixed in v.3.0.6.
bookmark_borderSub-Domain Takeovers — How Can Companies Better Secure Their Assets? Part 1
What are Sub-Domains?
For those of you who may not know what a sub-domain is here’s a brief description in my own words.
Sub-Domains are children to a parent domain or top-level domains (TLD). For example, https://example.com may have a sub-domain with the following URLs http://devlopment.server.example.com and http://staging.server.example.com.
Why do Sub-Domains exist?
There are several reasons why sub-domains are used. Here are some of the main reasons I have come across during my research.
- CNAME (Canonical Name Record) — pointing to a third party service that includes WordPress, Pantheon, and GitHub Pages.
- Hosting static resources — such as images, files, and other data that may not necessarily need to be hosted on a company’s internal servers. Services such as Amazon Web Services (AWS), Microsoft’s Azure, Google Cloud Engine, and Content Delivery Networks (CDNs).
- Development and Staging Environments — creating sub-domains that point to servers that aren’t meant to be public or discovered by end-users or web crawlers.
- API endpoints integrations — creating sub-domains that point to an API endpoint that is meant to serve RESTFUL data to and from applications.