Twenty Year Anniversary

WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting

WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting
Posted Jun 24, 2015
Authored by Liran Segal

WordPress Nextend Twitter Connect plugin version 1.5.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2015-4557
MD5 | 69b9b1581f86d9565672948148e37061

WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting

Change Mirror Download
Wordpress “Nextend Twitter Connect”
===================================
Document Title:
===============
WordPress “Nextend Twitter Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)


Download URL:

=============

https://wordpress.org/plugins/nextend-twitter-connect/



Release Date:

=============
2015-06-20


Vulnerability CVE ID:

=====================
CVE-2015-4557


Vulnerability Disclosure Timeline:

==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update for the plugin.
2015 – 06 – 22 Public Disclosure.


Discovery Status:

=================

Published


Severity Level:

===============

High


Technical Details, Description & Proof of Concept (PoC):

========================================================

After installing Wordpress I add the plugin "Nextend Twitter Connect" witch allow you to login Wordpress with Twitter account.

During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.
http://www.siz.co.il/my.php?i=hvmwzqo0tmjw.png


To reach to root of the problem, I took a look in the plugin source code and realized that the “new_Twitter_sign_button” witch located in the file “nextend-Twitter-connect.php”.

The problematic function are locate in line 492:
http://www.siz.co.il/my.php?i=bndijzkozjdy.png


As you can see in the line 492, the function don’t escapes HTML tags or other dangerous symbols.

When attacker injects the Javascript code in the URL the function runs the code, as you can see:

http://www.siz.co.il/my.php?i=ni4jzmzjmrni.png

And pop the alert window.


Solution - Fix & Patch:

=======================

In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)

As you can see in the image:
http://www.siz.co.il/my.php?i=yjz4jmie4m1g.png



Wordpress “Nextend Google Connect”
===================================
Document Title:
===============
WordPress “Nextend Google Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)


Download URL:

=============

https://wordpress.org/plugins/nextend-google-connect/



Release Date:

=============
2015-06-20


Vulnerability CVE ID:

=====================
CVE-2015-4557


Vulnerability Disclosure Timeline:

==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update for the plugin.
2015 – 06 – 22 Public Disclosure.


Discovery Status:

=================

Published


Severity Level:

===============

High


Technical Details, Description & Proof of Concept (PoC):

========================================================

After installing Wordpress I add the plugin "Nextend Google Connect" witch allow you to login Wordpress with Google account.

During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.
http://www.siz.co.il/my.php?i=yzjzqwyn4qo3.png


To reach to root of the problem, I took a look in the plugin source code and realized that the “new_google_sign_button” witch located in the file “nextend-Google-connect.php”.

The problematic function are locate in line 433:

http://www.siz.co.il/my.php?i=z4dnntazxkmz.png


As you can see in the line 433, the function don’t escapes HTML tags or other dangerous symbols.

When attacker injects the Javascript code in the URL the function runs the code, as you can see:

http://www.siz.co.il/my.php?i=0omtugeig1z0.png



And pop the alert window.


Solution - Fix & Patch:

=======================

In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)

As you can see in the image:
http://sizmedia.com/my.php?i=zmnjdljwthmm.png


Liran Segal (Bugsec Information Security LTD)

Regards,
Liran Segal
Penetration Testing
BugSec Cyber & Information Security

____________________________________________________________________________________________________________________________________________________________________________________________


Office: 03-9622655 Fax: 03-9511433 Mobile: 054-8308351

Mail: lirans@bugsec.com<mailto:lirans@bugsec.com> Site: www.bugsec.com<http://www.bugsec.com/>

[úéàåø: úéàåø: úéàåø: bugsec_car_logo]<http://www.bugsec.com/>
Would you know if you’re under attack?
[úéàåø: cid:image002.jpg@01CF3E27.3B0DCAC0]<http://www.cyber-spear.com/>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    6 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    8 Files
  • 23
    May 23rd
    53 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close