wp-plugin : wp-restful – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : wp-restful

 

Effected Version : 0.1 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 
http://localhost/wp-content/plugins/wp-restful/html_api_authorize.php?oauth_callback=oauth_callback'>alert(document.cookie)&

http://localhost/wp-content/plugins/wp-restful/html_api_login.php?oauth_token_temp=">alert(document.cookie)&oauth_callback_temp=">alert(document.cookie)&

 

Vulnerable Parameter : oauth_callback, oauth_token_temp, oauth_callback_temp

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-17

 
Plugin Status : Closed
 
Public Disclosure : June 12, 2014
 
CVE Number : CVE-2014-4595

 
Plugin Description :
 
**What is it?**

I'm 99% sure that you already heard about APIs or REST APIs, it's what Twitter, flickr and a lot more companies use to share they're resources with a consumer.
A consumer can be anything from a website (for example, showing your Twitter updates on your blog or personal website) to a desktop / mobile application (iPhone, Android, Windows Mobile, ...).
This is possible because all information sent to and from the API is encoded in either two common, inter-platform language, XML and JSON.
The difference between a regular API and a REST API is on the way they work. A REST API requires two entities to work, a client and a server.



**How does it work?**

WP-RESTful uses OAuth, a widely, commonly and open source API implementation used all over the World (Wide Web).
The way it work is fairly simple.
First a Consumer registers with a Server. At this point the Server will provide the Consumer with 2 tokens, a public and a private token. The public token will be used to communicate and identify the Consumer with the Server while the private token will be stored locally for security and integrity reasons.
After this the Consumer will request the Server with a Request Token. This Request Token will be used to initiate the Authentication Protocol in where the Consumer will be required to authorize the Server.
The Server will create 2 new token (definitive tokens). They will be our authentication tokens.
I know this sounds and seems complicated but you won't need to do anything as the Plugin will do almost everything for you (Registration and Authentication process are manual).



**Plugin features?**

* Add new Plugins to API Plugin to extend functionalities to any way you want/need. (See next group)
* Fully manageable Client and Server side.
* Ability to choose what fields are allowed to be returned to the consumer.
* Ability to restrict modules to OAuth authentication process or liberated them and make them open.
* Load balance system where you can specify how many requests a given consumer is allowed in a 60 minute timeframe.
* Out of the box Post and Comments management.
* And much more...



**Plugins**

As stated on "Plugin Features" you have the ability to develop and/or add new modules to your REST API. This means, for example, if you use a plugin like WP E-Commerce, you can develop a plugin for the REST API in order to provide support for WP E-Commerce resources.
The way these plugins are developed is very similar to how plugins for WordPress are developed.
You can see this video that explains how plugins work and how you can develop them.



**Requirements?**

All requirements for the plugin to work properly are addressed by the plugin itself, upon activation. You can see your system status on WP-RESTful link after activation the plugin.

Leave a Reply

Your email address will not be published. Required fields are marked *