Research

Cross-Site Scripting (XSS) in GistPress WordPress Plugin (CVE-2020-8498)

Researchers:

Paul Richie & Sam Thomas

Background

Cross-Site Scripting (XSS) is a vulnerability resulting from the lack of or inadequate sanitisation carried out on user supplied data that is then later rendered back to a user.

When an application includes user-supplied data in its HTTP response without proper sanitisation, any HTML or JavaScript included within that data would be executed when the response is rendered in the user’s browser. This behaviour could be leveraged by an attacker in order to compromise user sessions within the application. Allowing them to carry out unauthorised actions within the privileges of the victim.

Details

The shortcode function of gistpress version 3.0.1 was vulnerable to XSS. This was due to insecure handling of the “id” value of the shortcode ultimately allowing an attacker to request unanticipated URLs.

To replicate the finding please follow these steps:

1. Go to https://gist.github.com
2. Create a new file called “anything.json” with the contents like the example as shown below and save it:

{“description”:””,”public”:true,”created_at”:”2020-01-10T20:58:12.000Z”,”files”:
[“mdStyles”],”owner”:”keithcurtis1″,”div”:”\n”,”stylesheet”:”https://github.githubassets.com/assets/gist-embed-
7f347f16d50778e1160a7bd9d4550bad.css”} 

Note: this contained a simple JavaScript alert message as the payload which is inert and safe to use for replication.

Also note: The filename must end in “.json” because gistpress automatically appends “.json” before requesting the file.

3. Once saved that file was accessible from the gist URL shown below:

https://gist.github.com/cornerpirate/42a96c5f059796086340d39bfb63eff8

4. Obtain the “raw” link to that content using the button as shown below:

Cross-Site Scripting (XSS) in GistPress WordPress Plugin - Raw button shown on gist UI

Figure 1 – Raw button shown on gist UI

5. This gave a URL like the one shown below:


6. Create a new blog post and add a shortcode similar to the one shown below:

[gist id='cornerpirate/42a96c5f059796086340d39bfb63eff8/raw/56dacb78320139aaedfefdfe62eb92aa2748a355/anything']


Note
: this used the URL to the raw version of the file saved on gist but with the “.json” part omitted.

Having followed the above steps as a contributor level user the injected JavaScript command will execute whenever the post is previewed or viewed as shown below:

Cross-Site Scripting (XSS) in GistPress WordPress Plugin - XSS Confirmed

Figure 2 – XSS Confirmed

This functionality can be exploited by a contributor user who can create blog posts. That is a low privileged user account and typically a higher privileged user will be required to approve the post. This can be used to affect a privilege escalation by using JavaScript to execute commands on WordPress within the privileges of the higher user.

Risk Analysis
Risk Category: High

CVSSv3.1 Score: 5.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Explanation: XSS can pose a significant risk. Due to the likely use for privilege escalation in WordPress the risk categorisation of “high” was believed to be appropriate.

Recommendation

In this case the solution is to add input validation to prevent invalid gist “id” values. There is an expected format for these ids. An example id is shown below:

42a96c5f059796086340d39bfb63eff8

The intended value contained only characters in the 0-9 and a-f character sets. Additionally, the length of the id was 32 characters long.

Gistpress should be updated to validate the “id” value matching that standard before attempting to download content. This would prevent the vulnerability.

Vendor Response

The gistpress project lead responded positively to the disclosure and patched the project as per this update. 

The key part of the update is illustrated in Figure 3:

Cross-Site Scripting (XSS) in GistPress WordPress Plugin - Validation Added

Figure 3 – Validation Added

The patch worked by using “preg_replace” to remove any non-alphanumeric characters from the “id” parameter value.

Advise was provided stating that data sanitisation is not the most secure approach. The preferred solution should halt processing of the request if the “id” format is invalid. However, the XSS attack appeared adequately mitigated because the payload relied on the presence of the forward slash (“/”) character.

The vulnerability had been mitigated by version 3.0.2 of gistpress.

Affected Item

The affected item was:

  • Gistpress shortcode handling of the “id” parameter.
      • In version 3.0.1 and lower

Looking for more than just a pen test provider?

Get in touch with our team and find out how our tailored services can provide you with the cybersecurity confidence you need.