Cross-Site Scripting (XSS) in GistPress WordPress Plugin

Vulnerability Disclosure - CVE-2020-8498 | Pentest

Researchers:

Paul Richie & Sam Thomas

Background

Cross-Site Scripting (XSS) is a vulnerability resulting from the lack of or inadequate sanitisation carried out on user supplied data that is then later rendered back to a user.

When an application includes user-supplied data in its HTTP response without proper sanitisation, any HTML or JavaScript included within that data would be executed when the response is rendered in the user’s browser. This behaviour could be leveraged by an attacker in order to compromise user sessions within the application. Allowing them to carry out unauthorised actions within the privileges of the victim.

Details

The shortcode function of gistpress version 3.0.1 was vulnerable to XSS. This was due to insecure handling of the “id” value of the shortcode ultimately allowing an attacker to request unanticipated URLs.

To replicate the finding please follow these steps:

1. Go to https://gist.github.com
2. Create a new file called “anything.json” with the contents like the example as shown below and save it:

{“description”:””,”public”:true,”created_at”:”2020-01-10T20:58:12.000Z”,”files”:[“mdStyles”],”owner”:”keithcurtis1″,”div”:”\n”,”stylesheet”:”https://github.githubassets.com/assets/gist-embed-7f347f16d50778e1160a7bd9d4550bad.css”}

Note: this contained a simple JavaScript alert message as the payload which is inert and safe to use for replication.

Also note: The filename must end in “.json” because gistpress automatically appends “.json” before requesting the file.

3. Once saved that file was accessible from the gist URL shown below:
https://gist.github.com/cornerpirate/42a96c5f059796086340d39bfb63eff8

4. Obtain the “raw” link to that content using the button as shown below:


Figure 1 – Raw button shown on gist UI

5. This gave a URL like the one shown below:


6. Create a new blog post and add a shortcode similar to the one shown below:

[gist id='cornerpirate/42a96c5f059796086340d39bfb63eff8/raw/56dacb78320139aaedfefdfe62eb92aa2748a355/anything']

Note: this used the URL to the raw version of the file saved on gist but with the “.json” part omitted.

Having followed the above steps as a contributor level user the injected JavaScript command will execute whenever the post is previewed or viewed as shown below:


Figure 2 – XSS Confirmed

This functionality can be exploited by a contributor user who can create blog posts. That is a low privileged user account and typically a higher privileged user will be required to approve the post. This can be used to affect a privilege escalation by using JavaScript to execute commands on WordPress within the privileges of the higher user.

Risk Analysis

Risk Category: High
CVSSv3.1 Score: 5.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Explanation: XSS can pose a significant risk. Due to the likely use for privilege escalation in WordPress the risk categorisation of “high” was believed to be appropriate.

Recommendation

In this case the solution is to add input validation to prevent invalid gist “id” values. There is an expected format for these ids. An example id is shown below:
42a96c5f059796086340d39bfb63eff8

The intended value contained only characters in the 0-9 and a-f character sets. Additionally, the length of the id was 32 characters long.

Gistpress should be updated to validate the “id” value matching that standard before attempting to download content. This would prevent the vulnerability.

Vendor Response

The gistpress project lead responded positively to the disclosure and patched the project as per this update. 

The key part of the update is illustrated in Figure 3:

Figure 3 – Validation Added

The patch worked by using “preg_replace” to remove any non-alphanumeric characters from the “id” parameter value.

Advise was provided stating that data sanitisation is not the most secure approach. The preferred solution should halt processing of the request if the “id” format is invalid. However, the XSS attack appeared adequately mitigated because the payload relied on the presence of the forward slash (“/”) character.

The vulnerability had been mitigated by version 3.0.2 of gistpress.

Affected Item

The affected item was:

  • Gistpress shortcode handling of the “id” parameter.
      • In version 3.0.1 and lower

share this post

Share on linkedin
Share on twitter
Share on facebook
Share on reddit