what you don't know can hurt you

WordPress Citizen Space 1.1 Cross Site Scripting

WordPress Citizen Space 1.1 Cross Site Scripting
Posted Apr 19, 2015
Authored by Glyn Wintle

WordPress Citizen Space plugin version 1.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | ec623d2d94622f089d045fdae1f33a32

WordPress Citizen Space 1.1 Cross Site Scripting

Change Mirror Download
Details
================
Software: Citizen Space
Version: 1.1
Homepage: http://wordpress.org/plugins/citizen-space/
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-citizen-space-allows-attackers-to-view-sensitive-information-of-the-attackers-choosing/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)

Description
================
Reflected XSS in Citizen Space allows attackers to view sensitive information of the attacker’s choosing

Vulnerability
================
It is possible to request pages that will run the attackers choice of WordPress short code and display any content of the attackers choosing. This allows the attacker to view extremely sensitive data, to create content, to access forms that have been disabled and to greatly aid the exploitation of other plugins.
This can also be exploited to perform simple cross site scripting attacks (XSS) by injecting html onto pages, if a user can be tricked into following a link constructed by the attacker. This could be used e.g. to damage the reputation of the site or another entity, or to trick the user into installing malicious software
Citizen Space looks at all urls requested on the site to see if they contain “cs_consultation” anywhere in the url including in the parameters. It then looks for the parameter path in the url, if it is found it appends into post_content with out sanitising it
$post->post_content= \'[citizenspace_consultation url=\"\'.$_GET[\'path\'].\'\"]\';
This means that the citizenspace_consultation shortcode can be broken out off by adding square brackets (]). This works because the spec for shortcodes in WordPress is strict and says there can not be any closing square brackets inside a shortcode. Any content that is placed in the path parameter after the square bracket will be searched for short codes and if they are found they are executed. HTML will also be rendered and javascript will be executed.

Proof of concept
================
Assuming a site running on localhost, making this request will inject [shortcodehere] into the page.
http://localhost/?cs_consultation&path=\"][shortcodehere][[[

Mitigations
================
Disable and remove the plugin. The plugin authors (Delib) have deprecated the plugin and removed it from the plugin directory. They no longer recommend it as a way of integrating Citizen Space with WordPress:
https://delib.zendesk.com/hc/en-us/articles/203432169-Citizen-Space-Wordpress-plug-in
https://delib.zendesk.com/hc/en-us/articles/203432149-How-do-I-integrate-Citizen-Space-into-my-existing-website-

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================
2015-01-30: Discovered
2015-03-04: CVE requested
2015-03-05: Reported to vendor by email
2015-03-12: Confirmed plan for deprecation
2015-03-31: Plugin confirmed deprecated and removed from WP.org.
2015-04-16: Published
 
 
 


Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.




Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    2 Files
  • 30
    Nov 30th
    17 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close