Support » Plugin: All-in-One Event Calendar » (6) exploitable XSS issues ALL Versions from version 1.4 to 1.8.2

  • Vendor Notification: 21 March 2012 Public Disclosure: 11 April 2012
    As of 11/29/2012, This Issue has NO VENDOR SOLUTION. The article states the exposure started with 1.4 and I can confirm it was exploitable with the current version

    To re-validate, create a new event, set the event title to ><script>alert(document.cookie);</script>
    preview the event. if you see a popup

    I re-validated as of 11-28-12, this IS exploitable today with a fully up to date WordPress site and fully up to date set of plugins including all-in-one event calendar.

    Exposure: Any person capable of editing or creating an all-in-one event can set or be exploited to set the attack string which can steal WordPress credentials for the logged in session, infect normal or admin WordPress users roles with drive by download malware. Any site running over HTTP where events are added or edited can also be exploited to inject this persistent XSS to take blog users or admin users off site for drive by download, or credential exploit.
    XSS is a vulnerability fully capable of fully compromising the affected user machine, including server if the admins hit an exploited page.

    For remediation the affected values must be encoded. The Following WordPress security plugins are either not intended to prevent XSS or are ineffective at preventing exploit of this issue: including but not limited to Mute screamer, PHP IDS, AVH First Defense Against Spam and BPS Pro.

    <rhetorical>Where are these remotely exploitable issues suppose to appear in the WordPress interface.

    Perhaps a little public disclosure to more than the security researcher and hacker community might mitigate some un-managed risk. Seriously how hard is it to HTML encode or java script encode as applicable, 6 forms affected user space properties?

    These remotely exploitable issues should display somewhere in the plugins management window, they should be required to display before installation or update of the plugin if unfixed</rhetorical>

    CVE-2012-1835
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1835

    Advisory ID: HTB23082
    Product: All-in-One Event Calendar Plugin for WordPress
    Vendor: The Seed Studio
    Initial Vulnerable Version(s): 1.4 and probably prior Tested Version: 1.4 Vendor Notification: 21 March 2012 Public Disclosure: 11 April 2012 Vulnerability Type: Cross-Site Scripting (XSS) CVE Reference(s): CVE-2012-1835 Risk Level: Medium
    Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )

    ———————————————————————————————–

    Advisory Details:

    High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in All-in-One Event Calendar Plugin for WordPress, which can be exploited to perform Cross-Site Scripting (XSS) attacks.

    1) Cross-Site Scripting (XSS) in All-in-One Event Calendar Plugin for WordPress: CVE-2012-1835

    1.1 Input passed via the “title” GET parameter to /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of the affected website.

    The following PoC (Proof of Concept) demonstrates the vulnerability:

    http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title%5Bid%5D=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

    1.2 Input passed via the “args”, “title”, “before_title”, “after_title” GET parameters to /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of the affected website.

    The following PoC (Proof of Concept) demonstrate the vulnerabilities:

    http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args%5Bbefore_widget%5D=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
    http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
    http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
    http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

    1.3 Input passed via the “button_value” GET parameter to /wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of the affected website.

    The following PoC (Proof of Concept) demonstrates the vulnerability:

    http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php?button_value=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

    1.4 Input passed via the “msg” GET parameter to /wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of the affected website.

    The following PoC (Proof of Concept) demonstrates the vulnerability:

    http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php?msg=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

    Successful exploitation of these vulnerabilities (1.1-1.4) requires that “register_globals” is enabled.

    ———————————————————————————————–

    Solution:

    Currently we are not aware of any vendor-supplied patches or other solutions.

    Edit the application source code to ensure that input is properly sanitized.

    ———————————————————————————————–

    References:

    [1] High-Tech Bridge Advisory HTB23082 – https://www.htbridge.com/advisory/HTB23082 – Multiple XSS vulnerabilities in All-in-One Event Calendar Plugin for WordPress.
    [2] All-in-One Event Calendar Plugin for WordPress – http://theseednetwork.com/ – An event calendar system with month, week, agenda views, upcoming events widget, color-coded categories, recurrence, and import/export of .ics feeds.
    [3] Common Vulnerabilities and Exposures (CVE) – http://cve.mitre.org/ – international in scope and free for public use, CVE┬« is a dictionary of publicly known information security vulnerabilities and exposures.

    ———————————————————————————————–

    Disclaimer: The information provided in this Advisory is provided “as is” and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

    If you write code, go to , read and understand and implement controls you can find at https://www.OWASP.org
    You can not depend on WordPress or plugin security controls to mitigate YOUR code risks.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Solution Status: Fixed by Vendor
    Risk Level: Medium
    Discovered and Provided: High-Tech Bridge Security Research Lab

    Not sure which is worse, the exploitable XSS in the current version of plugin, or the non factual opinion assertion that a fixed was released.

    I have seen no fix, I have seen it exploitable in the current version.
    I have no idea why someone would say a vendor said its fixed.

    shrug, you can’t patch stupid.

    in what way is it fixed while someone still can unmask phpsessionid ??

    Ededededededed, in your post it states:

    Any site running over HTTP where events are added or edited can also be exploited to inject this persistent XSS to take blog users or admin users off site for drive by download, or credential exploit.

    Do you know if this is true of a site under SSL using HTTPS as well?

    Non factual opinion? You must be referring to the link in the references portion of your original post (above): [1] High-Tech Bridge Advisory HTB23082, from which I provided my previous post.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘(6) exploitable XSS issues ALL Versions from version 1.4 to 1.8.2’ is closed to new replies.