Twenty Year Anniversary

WordPress Nextend Facebook Connect 1.5.4 Cross Site Scripting

WordPress Nextend Facebook Connect 1.5.4 Cross Site Scripting
Posted Jun 23, 2015
Authored by Liran Segal

WordPress NextEnd Connect plugin version 1.5.4 suffers from a cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2015-4413
MD5 | 5e2f2f19de66471a98f1b1c5229ec881

WordPress Nextend Facebook Connect 1.5.4 Cross Site Scripting

Change Mirror Download
Document Title:
===============
WordPress “Nextend Facebook Connect” Plugin Version: 1.5.4 is vulnerable to Reflected XSS (Cross Site Scripting)


Download URL:

=============

https://wordpress.org/plugins/nextend-facebook-connect/



Release Date:

=============
2015-06-20


Vulnerability CVE ID:

=====================
CVE-2015-4413


Vulnerability Disclosure Timeline:

==================================
2015 – 06 – 03 First notified to WordPress.
2015 – 06 – 07 First notified to plugin vendor .
2015 – 06 – 10 First notified to Mitre for CVE number.
2015 – 06 – 11 Vendor publish update for the plugin.
2015 – 06 – 22 Public Disclosure.


Discovery Status:

=================

Published


Severity Level:

===============

High


Technical Details, Description & Proof of Concept (PoC):

========================================================

After installing Wordpress I add the plugin " Nextend Facebook Connect" witch allow you to login Wordpress with Facebook account.

During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.


To reach to root of the problem, I took a look in the plugin source code and realized that the “new_fb_sign_button()” witch located in the file “nextend-facebook-connect.php”.

The problematic function are locate in line 432:
http://www.siz.co.il/my.php?i=djvy5z2yhczl.png


As you can see in the line 432, the function don’t escapes HTML tags or other dangerous symbols.

When attacker injects the Javascript code in the URL the function runs the code, as you can see:
http://www.siz.co.il/my.php?i=zeu3dnmw5ktz.png

And pop the alert window.


Solution - Fix & Patch:

=======================

In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)

As you can see in the image:
http://www.siz.co.il/my.php?i=3jwizyzfgtmu.png

Liran Segal (Bugsec Information Security LTD)

Regards,
Liran Segal
Penetration Testing
BugSec Cyber & Information Security

____________________________________________________________________________________________________________________________________________________________________________________________


Office: 03-9622655 Fax: 03-9511433 Mobile: 054-8308351

Mail: lirans@bugsec.com<mailto:lirans@bugsec.com> Site: www.bugsec.com<http://www.bugsec.com/>

[úéàåø: úéàåø: úéàåø: bugsec_car_logo]<http://www.bugsec.com/>
Would you know if you’re under attack?
[úéàåø: cid:image002.jpg@01CF3E27.3B0DCAC0]<http://www.cyber-spear.com/>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    19 Files
  • 23
    Oct 23rd
    24 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close