wp-plugin : keyring – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : keyring

 

Effected Version : 1.5 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 
http://localhost/wp-content/plugins/keyring/includes/oauth-php/example/index.php?sig_method=<script>alert(document.cookie)</script>

 

Vulnerable Parameter : sig_method

 

Type of XSS : Reflected

 

Fixed in : 1.5.1

 

Trac Changelog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=834526%40keyring&old=804079%40keyring&sfp_email=&sfph_mail=

 

This specific vulnerability is indeed a flaw in oauth sdk php sample code, multiple wordpress plugin were leveraging this same code and hence a parallel disclosure was made: The entry on OSVDB for the same is listed here : http://osvdb.org/show/osvdb/101897

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-05

 
Plugin Status : Updated on 2014-01-07
 
Public Disclosure : July 7, 2014
 
CVE Number : Not assigned yet

 
Plugin Description :
 
See the [Keyring Developer's Guide](http://dentedreality.com.au/projects/wp-keyring/) for more details.

Keyring provides a very hookable, completely customizable framework for connecting your WordPress to an external service. It takes care of all the heavy lifting when making authenticated requests, so all you need to do is implement cool features and not worry about these tricky bits.

Out of the box, Keyring currently comes with base Service definitions for webservices which use:

* HTTP Basic
* OAuth1
* OAuth2

And includes an example service implementation (services/extended/example.php) plus ready-to-use definitions for:

* [Delicious](http://delicious.com/)
* [Facebook](http://facebook.com/)
* [Flickr](http://flickr.com/)
* [Foursquare](http://foursquare.com/)
* [Google Contacts](http://google.com/)
* [Instagram](http://instagram.com/)
* [Instapaper](http://instapaper.com/)
* [LinkedIn](http://linkedin.com/)
* [Moves](http://moves-app.com/)
* [RunKeeper](http://runkeeper.com/)
* [TripIt](http://tripit.com/)
* [Tumblr](http://tumblr.com/)
* [Twitter](http://twitter.com/)
* [Yahoo! Updates](http://yahoo.com/)

You can very easily write your own Service definitions and then use all the power of Keyring to hook into that authentication flow. See the [Keyring Developer's Guide](http://dentedreality.com.au/projects/wp-keyring/) for more details.

Leave a Reply

Your email address will not be published. Required fields are marked *