Sunday, December 06, 2020

[CVE-2019-17674 & CVE-2020-11025] Stored XSS through navigation menu item edited in Customizer in Wordpress (Write Up)





Howdy!

This is going to be a short write up about one of the security vulnerabilities issued by WordPress on their security patch release [CVE-2019-17674 & CVE-2020-11025].

I reported this issue way back March 30, 2018 thru their bug bounty program on HackerOne.

This issue was due to a vulnerable feature of WordPress which is the Navigation Menu. In the Menu there is a input box for Social Media links which may allow any site owner to input their Social Media profile links. The previous version of WordPress didn't sanitize any HTML Code for the link input which makes the feature vulnerable to Cross Site Scripting.

When a user adds a Cross Site Scripting payload in the Social Media input and publish the edited page, the payload will trigger on the home page of the owner's WordPress site.

In my test, I published a live demo of the vulnerability which you can check here https://ewsrtest.wordpress.com/

Again, this issue was already fixed by WordPress.

--Proof of Concept--
  1. go to https://wordpress.com/customize/<name>.wordpress.com
  2. click the "Menus" tab in the left side
  3. click "Social Media"
  4. choose any tab from "Facebook, Linkedin, Twitter and Instagram"
  5. after you choose a tab, input xss payload in the "Navigation Label"
  6. click Publish
  7. go to domain and see the result.
Result: Stored XSS



--Timeline--

Report Title: Stored XSS through nav menu item edited in Customizer
Reported: 2018-03-30 08:11:34 +0000
Patch Release: October 14, 2019
Reward: $600

Press Release of the issue

https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
https://www.symantec.com/security-center/vulnerabilities/writeup/110406
https://www.securityweek.com/wordpress-524-patches-six-vulnerabilities
https://www.softpedia.com/progChangelog/WordPress-Changelog-35303.html

I hope you enjoy this write up, have a great day y'all!

"We may encounter many defeats but we must not be defeated."
-Maya Angelou

Friday, April 24, 2020

XSS in Peerio 2 Windows Application (Write Up)



Howdy!


Few years ago I found a simple XSS vulnerability which affects a windows application of a company called Peerio. The application was similar to Slack nowadays which allows you to chat with your colleagues. The XSS was found in the chat input which if you will input an XSS payload on the chat box the payload will automatically trigger since they are using a web based application on it.

The vulnerability was reported directly to their security team and they added a quick fixed on it.

--Proof of Concept--



--Report Timeline--

Reported: Nov 21, 2017, 7:41 PM
First Response: Nov 23, 2017, 6:02 AM

Hi Evan,
thanks a lot, and quick catch — looks like this was introduced exactly one week ago.
What’s the best way to pay you? I’ll get the bureaucracy moving…
We should have a fix out tomorrow. 
 Fixed: Dec 2, 2017, 1:36 AM

Hi,
We pushed a direct fix in this release: https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.98.7
And then added strict CSP in the following release for a more global solution: https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.103.0 (you can check out pull requests #144 and #145 for details)
Thanks! 
Bounty: 1000 Canadian Dollar



I hope you enjoy this write up! stay tune for more contents like this in the future.

Have a great day,

Evan

“Life isn’t about finding yourself. Life is about creating yourself.”
– George Bernard Shaw

Wednesday, February 19, 2020

Data Tampering Issue in Spot.im Application (Write Up)



Howdy!


Early in November last year I found a vulnerability on a comment plugin of Spot.IM which affects their customers that uses their service. The vulnerability allows attacker to tamper data of the comment that can end up into impersonating other users. It can allow attacker to change the Text, Display Name and the Star ratings for the comment. The vulnerability was reported to Spot.IM and was rejected as for their reason it was related to phishing.

--Proof of Concept--






--Report Timeline--

Reported: Tue, Nov 26, 2019, 6:16 PM
Closed (Final Response): Fri, Dec 6, 2019, 3:21 AM

Hi Evan,
You are only modifying your own account data and it does not interfere with the data of others.
You will be unable to set a username if the username is already taken. You will be able to modify your display name, however display names are different from usernames.
Currently there are no privacy or authentication issues caused by this.
Kind Regards,
Spot.IM  

I hope you enjoy this write up! stay tune for more contents like this in the future.

Have a great day,

Evan

"Push yourself, because no one else is going to do it for you."