Datas from "Open End" questions are not escaped properly (_thecontent() function is used).
File: watu\controllers\show_exam.php
if($ques->answer_type=='textarea' and !empty($_POST["answer-" . $ques->ID][0])) {
if(!sizeof($all_answers)) $textarea_class = 'correct-answer';
$result .= wpautop("<li class='user-answer $textarea_class'><span class='answer'><!--WATUEMAIL".$class."WATUEMAIL-->".stripslashes($_POST["answer-" . $ques->ID][0])."</span></li>");
}
$results_output = '<hr />' . apply_filters(WATU_CONTENT_FILTER,$result);
$snapshot = $final_output . $results_output;
$wpdb->query($wpdb->prepare("UPDATE ".WATU_TAKINGS." SET snapshot=%s WHERE ID=%d", $snapshot, $taking_id)); XSS is visible for admin.
File: watu\controllers\takings.php
function watu_taking_details() {
global $wpdb, $user_ID;
// select taking
$taking=$wpdb->get_row($wpdb->prepare("SELECT * FROM ".WATU_TAKINGS."
WHERE id=%d", $_REQUEST['id']));
// select user
$student=$wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->users}
WHERE id=%d", $taking->user_id));
// make sure I'm admin or that's me
if(!current_user_can('manage_options') and $student->ID!=$user_ID) {
wp_die( __('You do not have sufficient permissions to access this page', 'watu') );
}
// select exam
$exam=$wpdb->get_row($wpdb->prepare("SELECT * FROM ".WATU_EXAMS." WHERE id=%d", $taking->exam_id));
require(WATU_PATH. '/views/taking_details.html.php');
exit;
}File: watu\views\taking_details.html.php
<p><?php echo stripslashes($taking->snapshot); ?></p>Proof of Concept
If exam has at least one "Open End" question it is possible to add XSS there, for example:
<script>alert("XSS");</script>It will be visible for user after sending form and also for admin:
http://wordpress-instalation/wp-admin/admin.php?page=watu_takings&exam_id=%exam_id%It must press "view" button, which loads:
http://wordpress-instalation/wp-admin/admin-ajax.php?action=watu_taking_details&id=%result_id%Timeline
- 21-10-2014: Discovered
- 12-11-2014: Vendor notified
- 12-11-2014: Version 2.5.0.2 released, issue resolved
