Titan Framework 1.0.1 - 1.5.2, Reflected XSS
The Titan Framework contains a file in its repository which is distributed with the version obtained from ‘wordpress.org’, named ‘iframe-googlefont-preview.php’. The intention of this file is to allow users to preview fonts included from the Google Fonts service, with either the default string of ‘Grumpy wizards make toxic brew for the evil Queen and Jack’, or a string of their choosing via the ‘t’ QSA. The ‘t’ QSA is simply output, without any processing or encoding, which results in a Reflected XSS attack being possible. A second script named ‘iframe-font-preview.php’ is also vulnerable, using the ‘text’ QSA. The wide usage of the Titan Framework means that a large number of plugins are vulnerable, simply due to their usage of the Titan Framework in their plugin.
Homepage
http://wordpress.org/plugins/titan-framework/
CVSS Score
5
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update TitanFramework to 1.6
Proof of Concept
The following URL results in the content “alert(“.”);” being output to the users browser.
http://localhost/wp-content/plugins/<path to titan framework>/iframe-googlefont-preview.php?f=Arial&t=<script type="text/javascript">alert(".");</script>Alternatively, a second script named ‘iframe-font-preview.php’ can be exploited as follows.
http://localhost/wp-content/plugins/<path to titan framework>/iframe-font-preview.php?text=<script type="text/javascript">alert(".");</script>Timeline
- 2014-09-16: Discovered
- 2014-09-16: Reported to vendor
- 2014-09-16: CVE requested
- 2014-09-16: Vendor responded with intent to fix the issue
- 2014-09-16: Vendor published fix to GitHub repo
- 2014-09-19: CVE assigned
- 2014-09-29: Update requested from vendor
- 2014-09-30: Vendor releases 1.6 – issue resolved
- 2014-10-07: Advisory released