A story of forgotten disclosure and DOM XSS

This post is about a vulnerability disclosure around DOM XSS which as forgotten somewhere during the process and i encountered it recently and then went on my way to get it fixed. This post outlines various learnings and observations i made during this effort.

UPDATE 1 : 14 May 2015 : More details added at the end around in-wild exploitation examples as well as effected website and how to find vulnerable code.
Update 2 : 20 May 2015 : A visual version of the blog post i presented during combined meet of (null/OWASP/G4H) Bangalore chapter.
Update 3 : 17 June 2015 : more then a month since this blog post and more issues still found online. This time lastpass is found vulnerable to XSS due to this.

———-
10 days ago i was informed by one of my client about a DoM XSS being exploited on there website. After doing some due-diligent checks we zeroed it on one single wordpress plugin “facebook-page-photo-gallery” as the vulnerable component, So we decided to remove the plugin and vulnerability was gone. We also went ahead and informed plugins@wordpress.org about the issue and for my client that was End of Story.

However as i was intrigued what is causing the issue, I started to Digg-in and zeroed in on a specific jquery plugin called “PrettyPhoto” developed by Stephane Caron and hosted here .

At this point my understanding was that the plugin must be using an older version of javascript and newer version must be patched. And indeed when i visited the official website i found that a newer version was available. However this is where things get interesting. To my surprize the payload which was used at my client’s website worked without any modification on the website no-margin-for-errors too. which meant that the latest version was also vulnerable, more interestingly the last update to the code was around March 2013.

At this point I started looking at google in order to check if the issue was encountered by someone else also. This search was not a waste and i ended up on a blog post by Perucrack.net. This confirmed my suspicion that this was already reported and hence should have been patched already. (The post dated aug 2014). This was the part about forgotten disclosure

So i raised a github issue asking for more details about this. And made some tweets to get the word out.

This resulted in two things,
1) A discussion started at wpscan issue list around how to get list of vulnerable wordpress plugins.
2) A discussion on original issue list around a possible fix.

This lead to another discovery that a probable fix was already pending as a pull request Funny enough this pull request was dated 15 Jan 2013.

Finally within 48 hrs of raising the issue there was a new version released 3.1.6 which had protections for DOMXSS.

At this point story gets interesting for me, The original issue is fixed, so i gave 7 days of break to see how many downstreams actually pick this up and for this i used wordpress plugin’s as benchmark.

there were a total of 35 plugins which were using jquery.prettyphoto.js file out of which only one yes ONE updated the file when a new release came out.

So here is a list of WordPress plugin’s that are still using Older and vulnerable Plugin.

alpine-photo-tile-for-instagram
contact-bank
dp-maintenance-mode-lite
ehive-account-details
ehive-object-details
embedplus-for-wordpress
fancyflickr
foxyshop
gallery-bank
images-lazyload-and-slideshow
image-slider-widget
izeechat
jcwp-youtube-channel-embed
lb-tube-video
matrix-image-gallery
mklasens-photobox
myblogu
mytreasures
onclick-show-popup
random-image-gallery-with-pretty-photo-zoom
reflex-gallery
responsive-category-slider
responsive-lightbox
s2member-secure-file-browser
tallykit
ticket-manager
vslider
webrotate-360-product-viewer
wp-business-directory
wp-easy-gallery
wp-instagram-bank
wppizza
wp-portfolio-gallery
wp-video-lightbox

Also just to put things into perspective here collectively these plugins correspond to

Total Downloads2882520
Total Active Installs3,37,780

However it should be kept in mind that this vulnerability is not only affecting wordpress plugin’s but any application which is using jquery.prettyphoto.js

And an honorary mention to the only plugin who did updated the codebase to newer version rt-prettyphoto

So what did we learn from all this.

If you are using third party code in your application Monitor the product development and keep integrating the latest changed back into your system, Specially if the change is a security fix.

Also
1) Never ignore pull requests specially if its a security bug.
2) Never ignore vulnerability disclosure in your own software.
3) If you use a dependency always monitor the upstream release’s issues list and pull requests, bug tracker etc.
4) If upstream publishes a new release specifically if its a security release make it a priority to ship it to your customers.

Also don’t forget to check if you are using jquery.prettyphoto.js in any of your code and remember to update the codebase to latest version.

Update 1
——–

Not just WordPress instances the jquery plugin (as already suggested earlier) is also used by many websites. Did a quick search on nerdy data and it revealed 1042503 hits for jquery.prettyphoto.js

In the wild exploitation examples are available over at XSSposed.orgas well as refer

So How do we search for this vulnerability and ensure our sites are secure.

1. On linux machines go to your webroot and search for the existence of file

find /webroot -name "jquery.prettyphoto.js"

2. If you are a wordpress user, You can either run wpscan on your website or

3. If you are a wordpress sysadmin you may want to integrate this WPVulnDB API commandline tool To run periodic scan and inform you about the issues. We have already got the issue added in WPVulnDB so any one relying on that would automatically get a notification.

Update 2
——–
TLDR: visual version of the entire blogpost. and something more.

Also while we are at it another interesting paper around Javascript remote inclusion title “You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions”

Update 3
———-

So Lastpass “Password manager” blog is found vulnerable to DoM XSS due to prettyphoto not being updated in the theme.

And a screenshot showing the actual payload.

prettyphoto_lastpass_xss

WordPress vulnerability database has added this theme as a vulnerable theme : https://wpvulndb.com/vulnerabilities/8048

Do you like what you read, What to share it

Leave a Reply

Your email address will not be published. Required fields are marked *