Support » Plugin: BuddyPress Activity Plus » XSS vulnerability in 1.6.3

  • Resolved tempacc1234

    (@tempacc1234)


    Since this has been fixed i’ll publish here the report i sent to WPMU DEV so everyone can see it and choose if they want to keep using WPMU DEV’s plugins.

    I was going to post this in wordpress.org support forum, but i don’t want to f**k your users because of your incompetence. I’ll give you 24 hours to update your plugin before full disclosure.

    Just another bug in your code, and this is a big one.

    Enter one of the URLs below as the image URL, click the preview button and enjoy your XSS:

    http://thisisnotamalicious.url"><a href=http://google.com>Click this innocent link! I swear it is safe!</a> <!--

    Or just redirect to a malicious page without user interaction (change 7 to 8 if you are using https):

    http://thisisnotamalicious.url"><script>var x = String(/google.com/);x = x.substring(1, x.length-1);y = location.href;window.location.replace(y.substring(0, 7) + x)</script>

    Nice job, WPMU DEV. How many years with a XSS vulnerability?

    This vulnerability allowed an attacker to execute arbitrary code in the client’s browser just by using an URL similar to the ones i described above. This is a very basic but very dangerous attack and it should have been fixed several years ago.

    I guess this vulnerability affects every single version from 1.6.3 to the first one, but i only tested it in 1.6.3.

    UPDATE NOW!

    https://wordpress.org/plugins/buddypress-activity-plus/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Hi tempacc1234. Do you know if there is anything we can do to prevent major harm if a plugin has such a vulnerability?

    I’ve followed WordPress’s security hardening tips to prevent attacks, and have the Wordfence security plugin, so I’m hoping my site is hardened well enough to prevent attacks through this vulnerability.

    Hi, tempacc1234 .

    Since this has been fixed i’ll publish here the report i sent to WPMU DEV so everyone can see it and choose if they want to keep using WPMU DEV’s plugins.

    Whilst it’s regrettable and shouldn’t have been there, however, I wouldn’t consider this a true XSS vulnerability.

    As far as I can see, the code injection will take place only on the client side for the user that is injecting the script. (same thing can be done by using the browser console). The injected script won’t be saved, therefore, will not affect other users. It can’t be used through reflection either.

    Please let me know if I’m missing something here.

    Thank you for taking the time to report the issue and allowing us to fix it up.

    Hey, andy277.

    Do you know if there is anything we can do to prevent major harm if a plugin has such a vulnerability?

    Just try to always be up to date, you could have a code audit run if you so desired.

    Even the core of WordPress has security issues from time to time.

    https://wordpress.org/news/category/security/

    We’re grateful that awesome people report those issues before going public first so that developers have ample time to fix up and release.

    Cheers

    Thread Starter tempacc1234

    (@tempacc1234)

    Sorry, i don’t have the skills or knowledge to give you good advice. And that is the worst part of all this. A noob like me found in a couple of days a lot of bugs and a big vulnerability in this plugin while WPMU DEV couldn’t find them in 4 years, 4 years! What does that says about WPMU DEV skills? In top of all this, my english is very limited so i can’t express myself correctly.

    But i can tell you this:

    – Never trust your users, always sanitize user input. It’s better to check things twice than to not be sure if you checked it enough.
    – Never trust other people’s code. I’m not saying that you can’t use other people’s code, just don’t install it and expect it to be secure.
    – Always check the code for best practices and common vulnerabilities (XSS is in the top 3 of vulnerabilities). Take a look at this plugin’s code, it’s a big mess of bad practices, bugs and unreadable code. Don’t trust anything from WPMU DEV.

    There are a lot of tools that could help you, like web vulnerability scanners or exploit frameworks (like acunetix, nikto or metasploit). Check exploit databases frequently too. You can check your website for sql injections with sqlmap crawler, don’t forget to check the forms too. Keep everything updated to the last stable version and follow the KISS principle (Keep It Simple, Stupid!).

    “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”

    Thread Starter tempacc1234

    (@tempacc1234)

    OMG!

    Whilst it’s regrettable and shouldn’t have been there, however, I wouldn’t consider this a true XSS vulnerability.

    As far as I can see, the code injection will take place only on the client side for the user that is injecting the script. (same thing can be done by using the browser console). The injected script won’t be saved, therefore, will not affect other users. It can’t be used through reflection either.

    You can use social engineering to trick someone to enter the malicious URL in the form. WTF!?

    This is a legit URL:

    http://www.google.si/imgres?imgurl=http://www.newslinq.com/wp-content/uploads/2014/06/ex-girlfriend-meme-14.jpg&imgrefurl=http://www.newslinq.com/ex-girlfriend-memes/&h=537&w=550&tbnid=gfZV50vHkUdoPnM:&docid=wb_0Bw7bFw4tfbM&ei=sCRKVv-xHIb3PacLaoEA&tbm=isch&ved=0CDAQMygAMfABqFQoTCP_J1rLNlckCcFYZ7DwodQi0ICA

    Are you telling me you can’t add a malicious script between all that gibberish and trick someone to use that URL?

    From Wikipedia:

    As the JavaScript code was also processing user input and rendering it in the web page content, a new sub-class of reflected XSS attacks started to appear that was called DOM-based cross-site scripting. In a DOM-based XSS attack, the malicious data does not touch the web server. Rather, it is being reflected by the JavaScript code, fully on the client side.

    Do you even know what XSS is?

    Hello tempacc1234,

    Hope you are doing well.

    As stated above, reflected XSS is not possible in this case because our plugin is not parsing any injected parameter.
    If you read carefully, the reflection method relies in JS parsing the input from the GET parameters or some other external source.

    – Never trust your users, always sanitize user input. It’s better to check things twice than to not be sure if you checked it enough.

    I totally agree with you on this point and that’s why we released a new version today with enforced sanitization to avoid any confusion.

    Do you even know what XSS is?

    I wouldn’t call this an XSS vulnerability because it doesn’t allow any type of XSS. I believe it is important to emphazise that the sites using this plugin were not at risk.

    Thank you for your useful feedback.

    Thread Starter tempacc1234

    (@tempacc1234)

    Please, stop. You are embarrasing yourself.

    DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.

    https://www.acunetix.com/websitesecurity/xss/

    If an attacker can abuse a XSS vulnerability on a web page to execute arbitrary JavaScript in a visitor’s browser, the security of that website or web application and its users has been compromised — XSS is not the user’s problem, like any other security vulnerability, if it’s affecting your users, it will affect you.

    https://www.acunetix.com/websitesecurity/cross-site-scripting/

    DOM XSS is a type of cross site scripting attack which relies on inappropriate handling, in the HTML page, of the data from its associated DOM. Among the objects in the DOM, there are several which the attacker can manipulate in order to generate the XSS condition, and the most popular, from this perspective, are the document.url, document.location and document.referrer objects.

    https://www.acunetix.com/blog/articles/dom-xss-explained/

    Plugin Author Aaron Edwards

    (@uglyrobot)

    Hello tempacc1234, this is the CTO of WPMU DEV.

    First I want to thank you for reporting the issue, and waiting for us to release a fix before posting. I wish you would have provided your name in the contact so we could have given you credit in the changelog.

    I won’t try to argue about how bad the vulnerability was or anything. We have very strict standards on our code quality and security best practices. We also do full security reviews on all code before release. This particular XSS issue slipped through, mostly because it was JS based only. Sorry, but it happens sometimes to the best of us. WP core itself has had 7 major security releases in the last year alone, some of which fixed very similar vulnerabilities. There are security issues outstanding in most released software, yet to be discovered. What matters is that the developer fixes it promptly and makes it available to customers easily.

    And in this case we certainly did take it seriosly and fixed it within a matter of hours of you reporting. And that’s why you can trust WPMU DEV.

    Thanks again, if you want a free month of WPMU DEV membership just send use the contact form and link to this thread.

    Thread Starter tempacc1234

    (@tempacc1234)

    Are the broken destroy functions, the insane abuse of ternary operators, the illegible code, the possibility of posting invalid URLs resulting in empty activity posts, the lack of thumbnails for remote images, the ugly styles and horrible layout, “very strict standards on our code quality”?

    What about messing with the What’s new form user experience? And the difficulty to make changes without breaking everything else? Wrapping ugly HTML and CSS in ugly JS?

    Do you think this is “very strict standards on our code quality”?:

    <div class="bpfb_images">
    <?php $rel = md5(microtime() . rand());?>
    <?php foreach ($images as $img) { ?>
    	<?php if (!$img) continue; ?>
    	<?php if (preg_match('!^https?:\/\/!i', $img)) { // Remote image ?>
    		<img src="<?php echo $img; ?>" />
    	<?php } else { ?>
    		<?php $info = pathinfo(trim($img));?>
    		<?php $thumbnail = file_exists(bpfb_get_image_dir($activity_blog_id) . $info['filename'] . '-bpfbt.' . strtolower($info['extension'])) ?
    			bpfb_get_image_url($activity_blog_id) . $info['filename'] . '-bpfbt.' . strtolower($info['extension'])
    			:
    			bpfb_get_image_url($activity_blog_id) . trim($img)
    		;
    		$target = 'all' == BPFB_LINKS_TARGET ? 'target="_blank"' : '';
    		?>
    		<a href="<?php echo bpfb_get_image_url($activity_blog_id) . trim($img); ?>" class="<?php echo $use_thickbox; ?>" rel="<?php echo $rel;?>" <?php echo $target; ?> >
    			<img src="<?php echo $thumbnail;?>" />
    		</a>
    	<?php } ?>
    <?php } ?>
    </div>

    Destroying the image handler takes several seconds, is that “very strict standards on our code quality” too?

    WP core has thousands of lines of code, how many has this plugin? This plugin only has 3 front-end input fields, and one of them had an XSS vulnerability for several years, is that “very strict standards on our code quality and security best practices”?

    Did all this “slip through”?

    Stop treating us like we are stupid, because we are not.

    Are you trying to bribe me?

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘XSS vulnerability in 1.6.3’ is closed to new replies.