This post is about a vulnerability disclosure around DOM XSS which as forgotten somewhere during the process and i encountered it recently and then went on my way to get it fixed. This post outlines various learnings and observations i made during this effort.
UPDATE 1 : 14 May 2015 : More details added at the end around in-wild exploitation examples as well as effected website and how to find vulnerable code.
Update 2 : 20 May 2015 : A visual version of the blog post i presented during combined meet of (null/OWASP/G4H) Bangalore chapter.
Update 3 : 17 June 2015 : more then a month since this blog post and more issues still found online. This time lastpass is found vulnerable to XSS due to this.
———-
10 days ago i was informed by one of my client about a DoM XSS being exploited on there website. After doing some due-diligent checks we zeroed it on one single wordpress plugin “facebook-page-photo-gallery” as the vulnerable component, So we decided to remove the plugin and vulnerability was gone. We also went ahead and informed plugins@wordpress.org about the issue and for my client that was End of Story.
However as i was intrigued what is causing the issue, I started to Digg-in and zeroed in on a specific jquery plugin called “PrettyPhoto” developed by Stephane Caron and hosted here .
At this point my understanding was that the plugin must be using an older version of javascript and newer version must be patched. And indeed when i visited the official website i found that a newer version was available. However this is where things get interesting. To my surprize the payload which was used at my client’s website worked without any modification on the website no-margin-for-errors too. which meant that the latest version was also vulnerable, more interestingly the last update to the code was around March 2013.
At this point I started looking at google in order to check if the issue was encountered by someone else also. This search was not a waste and i ended up on a blog post by Perucrack.net. This confirmed my suspicion that this was already reported and hence should have been patched already. (The post dated aug 2014). This was the part about forgotten disclosure
So i raised a github issue asking for more details about this. And made some tweets to get the word out.
Found http://t.co/IYGmsSRMJr to be exploited in wild. july 2014 till now close to one year:no patch. Remove prettyphoto.js from production
— Anant Shrivastava (@anantshri) May 5, 2015
Jquery plugin PrettyPhoto.js is vulnerable to DOMXSS since 07/2014 avoid using it. https://t.co/CxZ9njFHGM
— Anant Shrivastava (@anantshri) May 5, 2015
. @_WPScan_ Please add all plugin's and themes using jquery.prettyphoto.js as vulnerable to DOMXSS details https://t.co/CxZ9njFHGM
— Anant Shrivastava (@anantshri) May 5, 2015
This resulted in two things,
1) A discussion started at wpscan issue list around how to get list of vulnerable wordpress plugins.
2) A discussion on original issue list around a possible fix.
This lead to another discovery that a probable fix was already pending as a pull request Funny enough this pull request was dated 15 Jan 2013.
Finally within 48 hrs of raising the issue there was a new version released 3.1.6 which had protections for DOMXSS.
At this point story gets interesting for me, The original issue is fixed, so i gave 7 days of break to see how many downstreams actually pick this up and for this i used wordpress plugin’s as benchmark.
there were a total of 35 plugins which were using jquery.prettyphoto.js file out of which only one yes ONE updated the file when a new release came out.
So here is a list of WordPress plugin’s that are still using Older and vulnerable Plugin.
alpine-photo-tile-for-instagram contact-bank dp-maintenance-mode-lite ehive-account-details ehive-object-details embedplus-for-wordpress fancyflickr foxyshop gallery-bank images-lazyload-and-slideshow image-slider-widget izeechat jcwp-youtube-channel-embed lb-tube-video matrix-image-gallery mklasens-photobox myblogu mytreasures onclick-show-popup random-image-gallery-with-pretty-photo-zoom reflex-gallery responsive-category-slider responsive-lightbox s2member-secure-file-browser tallykit ticket-manager vslider webrotate-360-product-viewer wp-business-directory wp-easy-gallery wp-instagram-bank wppizza wp-portfolio-gallery wp-video-lightbox
Also just to put things into perspective here collectively these plugins correspond to
| Total Downloads | 2882520 |
| Total Active Installs | 3,37,780 |
However it should be kept in mind that this vulnerability is not only affecting wordpress plugin’s but any application which is using jquery.prettyphoto.js
And an honorary mention to the only plugin who did updated the codebase to newer version rt-prettyphoto
So what did we learn from all this.
If you are using third party code in your application Monitor the product development and keep integrating the latest changed back into your system, Specially if the change is a security fix.
Also
1) Never ignore pull requests specially if its a security bug.
2) Never ignore vulnerability disclosure in your own software.
3) If you use a dependency always monitor the upstream release’s issues list and pull requests, bug tracker etc.
4) If upstream publishes a new release specifically if its a security release make it a priority to ship it to your customers.
Also don’t forget to check if you are using jquery.prettyphoto.js in any of your code and remember to update the codebase to latest version.
Update 1
——–
Not just WordPress instances the jquery plugin (as already suggested earlier) is also used by many websites. Did a quick search on nerdy data and it revealed 1042503 hits for jquery.prettyphoto.js
About 1042503 hits @NerdyDataLtd #Jquery #PrettyPhoto versions < 3.1.6 suffer from DOMXSS http://t.co/BpyJi5ww9l pic.twitter.com/reXzZZi9BQ
— Anant Shrivastava (@anantshri) May 14, 2015
In the wild exploitation examples are available over at XSSposed.orgas well as refer
@anantshri @fmavituna Finally.. I've been exploiting this vuln since beginning of 2013.
— Mehmet INCE (@mdisec) May 14, 2015
So How do we search for this vulnerability and ensure our sites are secure.
1. On linux machines go to your webroot and search for the existence of file
find /webroot -name "jquery.prettyphoto.js"
2. If you are a wordpress user, You can either run wpscan on your website or
3. If you are a wordpress sysadmin you may want to integrate this WPVulnDB API commandline tool To run periodic scan and inform you about the issues. We have already got the issue added in WPVulnDB so any one relying on that would automatically get a notification.
Update 2
——–
TLDR: visual version of the entire blogpost. and something more.
Also while we are at it another interesting paper around Javascript remote inclusion title “You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions”
Update 3
———-
So Lastpass “Password manager” blog is found vulnerable to DoM XSS due to prettyphoto not being updated in the theme.
Oh! Now XSS on LastPass blog discovered https://t.co/5XDBJYPkl6
— Omair (@w3bd3vil) June 16, 2015
And a screenshot showing the actual payload.
WordPress vulnerability database has added this theme as a vulnerable theme : https://wpvulndb.com/vulnerabilities/8048