Wednesday, 25 June 2014

Wordfence Firewall Plugin XSS "CVE-2014-4664"



"Wordfence Firewall Plugin XSS"  "CVE-2014-4664"


Hello All Friends , Its a long time gone that i talk or post about XSS Vulnerability , My last post about XSS was Google XSS Which i was found in last year @ starting of my carrier

So lets come to post

Today we will see that how i got "Word Press Firewall Plugin Wordfence  XSS"



WordFence-
Wordfence starts by checking if your site is already infected.Wordfencee do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.

Wordfence Security is 100% free. Wordfence also offer a Premium API key that gives you access to our premium support ticketing system at support.wordfence.com along with two factor authentication via SMS, country blocking and the ability to schedule scans for specific times.



Downloads Per Day

700-3000

===============

While analysis of my website logs i saw that there is button of whois Ip lookup for getting information about Visitors Ip
Like this - 





i was think that should try for XSS here , for testing i inject <script>alert(/Testing/)</script>

And in response the inject payload didnt got filtered or sanitized before echoing out to clinet side but shitty script is not getting executed , so i looked in to the source code for review
Source Code Preview



 Now i dint need to explain to next thing that what i have done , but i would like to explain for newbies so they can understand properly

Our inject payload is reflecting back in this tag like <script>" some javascirp code blaaa blaaaa (payload)" </script>

Now i need to create a Payload which triaged the XSS and strip out my XSS Payload from <script></script> tag
Now i were need to add ";</script><mypayload>    !!! Why ?





Now no need to explain more that why i did next i just create a payload ";</script><script>alert(/Oppps !!! Bhati Got A XSS In Wordpress Firewall Plugin Wordfence /)</script>
And Its Got Executed







And I Was Like 






Video POC 


And Game Over


Comments And Suggestions Are Always Welcome :-)

===========================================

 Vulnerability Reported - 24- June-2014

Confirmation ( Acknowledgement )- 24-June-2014

Schedule A Responsible Disclosure -25-June-2014

Fixed The Issue And Patch Release Date - 24-June-2014 ( Very Fast ;-) )

Publicly Disclosure - 30-6-2014

http://www.wordfence.com/blog/2014/06/security-fix-wordfence-5-1-4/

==========================================

No comments:

Post a Comment