exploit the possibilities

Bit51 Better WP Security Plugin XSS / Command Execution

Bit51 Better WP Security Plugin XSS / Command Execution
Posted Jul 31, 2013
Authored by Richard Warren | Site nccgroup.com

The Better Security Wordpress Plugin suffers from a stored cross site scripting vulnerability, which can be exploited by a remote unauthenticated attacker to steal cookies or gain privileged access to the affected site. Bit51 Better WP Security Plugin versions 3.4.8, 3.4.9, 3.4.10, 3.5.2, and 3.5.3 are affected.

tags | exploit, remote, xss
MD5 | c976f23ca76e7c1eda6898d0bb24c04a

Bit51 Better WP Security Plugin XSS / Command Execution

Change Mirror Download
=======
Summary
=======
Name: Bit51 Better WP Security Plugin - Unauthenticated Stored XSS to RCE
Release Date: 30 July 2013
Reference: NGS00500
Discoverer: Richard Warren <richard.warren@nccgroup.com>
Vendor: Bit51
Vendor Reference:
Systems Affected: Bit51 Better WP Security Plugin Version 3.4.8/3.4.9/3.4.10/3.5.2/3.5.3
Risk: High
Status: Published

========
TimeLine
========
Discovered: 1 April 2013
Released: 1 April 2013
Approved: 1 April 2013
Reported: 1 April 2013
Fixed: 21 July 2013
Published: 30 July 2013

===========
Description
===========
Bit51 Better WP Security Plugin Version 3.4.8/3.4.9/3.4.10/3.5.2/3.5.3 -
Unauthenticated Stored XSS to RCE

I. VULNERABILITY
-------------------------
The Better Security Wordpress Plugin suffers from a stored XSS
vulnerability, which can be exploited by a remote unauthenticated attacker
to steal cookies or gain privileged access to the affected site.

II. BACKGROUND
-------------------------
Better WP Security takes the best WordPress security features and
techniques and combines them in a single plugin thereby ensuring that as
many security holes as possible are patched without having to worry about
conflicting features or the possibility of missing anything on your site.

With one-click activation for most features as well as advanced features
for experienced users Better WP Security can help protect any site.

http://bit51.com/software/better-wp-security/

=================
Technical Details
=================
The Better Security Wordpress plugin logs all 404 errors within the "logs"
tab. By purposefully requesting a non-existent page containing an XSS
payload a 404 error will be generated. When the admin clicks on the logs
lab, the XSS payload will be triggered and cookies can be stolen, or some
onsite request forgery can be carried out to gain admin access. Note -
there are possibly a few other vectors for XSS through the logs. In
addition to 404s, username login attempts, user-agents and other
potentially interesting parameters are logged.

Single quotes are escaped, but this can be bypassed easily. Also the
request must be made through burp or a script as browsers will URL encode
it. A proof of concept request can be found below:

==============================================================

GET
/xss.php?payload="><script>alert(String.fromCharCode(88,83,83))</script>
HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:15.0)
Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Cookie: wordpress_cookies.....

===============================================================

===============
Fix Information
===============
Better WP Security 3.5.4 has been released, which includes a fix for this issue.


NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    9 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close