Discussion:
Bug - Wordpress Multiple Themes (oid:802250) - False Positive
(too old to reply)
R. Brenton Strickler
2018-05-07 18:32:39 UTC
Permalink
Hi all,

I believe I've stumbled across a bug
in gb_wordpress_mult_themes_xss_vuln.nasl while reviewing a scan.

http://plugins.openvas.org/nasl.php?oid=802250

See this line:
if(http_vuln_check(port: port, url: dir + xploits[xploit], pattern: xploit,
check_header:TRUE))

I'm thinking it should be as follows:

if(http_vuln_check(port: port, url: dir + xploits[xploit], pattern:
xploits[xploit], check_header:TRUE))

Thanks,

-Brenton
Christian Fischer
2018-05-10 12:35:19 UTC
Permalink
Hi,

thanks for the IP. Was was able to reproduce this and can confirm that
this is definitely NOT a false positive.

If you open up the URL (which is now reported in the new version of the
plugin) you will find this vulnerable URL (replace example.com with the
public hostname of that IP):

Vulnerable url:
https://example.com/?s=%22%20%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

the XSS gets triggered in your browser (as long as you're not using a
tool like NoScript or a Browser with build in XSS protection).

The embedded source code on the target page looks like the following
(there are four different places in the HTML where the JS is embedded,
havn't checked which one is actually triggering the XSS):

<h1 class = 'results' ><span>0</span> Results For ""
<script>alert(document.cookie)</script>"</h1>
<a href="/?s=" ><script>alert(document.cookie)</script>">

<li class="results product-search-results"><a
href="/products/product-search/?product_name="
<script>alert(document.cookie)</script>&department-product-search=all-products"><span>0</span>
Products Found | View </a></li>

<input type="text" class="form-control" name="s" placeholder="Search"
autocomplete = 'off' ng-model="searchcrit" value="\"
<script>alert(document.cookie)</script>" >
Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Thanks for your responses.
I am troubleshooting a 3rd party vendor scanning a client's systems.  I
don't have information on the versions they are using, but I can tell
you the information that I do have.
1) The scan target is 52.21.123.105
2) There's only one theme installed /wp-content/themes/mx-theme/
3) There are no other themes in /wp-content/themes/
4) The theme in question includes URL parameters in the HTML body, but
the html entities are properly escaped.
Any assistance is greatly appreciated.
Thanks again,
-Brenton
On Tue, May 8, 2018 at 3:11 AM, Christian Fischer
Hi *,
Hi,
Post by R. Brenton Strickler
Hi all,
I believe I've stumbled across a bug
in gb_wordpress_mult_themes_xss_vuln.nasl while reviewing a scan.
http://plugins.openvas.org/nasl.php?oid=802250
<http://plugins.openvas.org/nasl.php?oid=802250>
Post by R. Brenton Strickler
xploit, check_header:TRUE))
xploits[xploit], check_header:TRUE))
No, it's proper(should be xploit). Here we want check only executed
payload from the response.
Not payload along with the parameters.
Exactly. The checks are in a form of an array so on the first iteration
xploit = ><script>alert\(document.cookie\)</script>
xploits[xploit] =
/?s=%22%20%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
thus the "http_vuln_check()" is requesting the url from
"xploits[xploit]" and then checks the response of that request against
the regex pattern from "xploit".
May be other reason for reporting FP for you. If you provide more
details about installed
versions and responses from server, It will be easy to look into this.
Additionally the question is if this is really a FP or is there any
Theme installed with might be still vulnerable to the same vulnerability
but not described in that plugin?
The next feed-update (once the NVT reaches Revision r9750) the URL where
the vulnerability was detected should be included in the report output.
This might help you to gather more information on this.
Thanks,
Antu Sanadi
Post by R. Brenton Strickler
Thanks,
-Brenton
Regards,
R. Brenton Strickler
2018-05-10 12:39:17 UTC
Permalink
Hi Christian,

Thanks for this. I wasn't able to produce that result at first and was
thrown off by the "multiple WordPress theme" prognosis. We'll make
adjustments on our end to address this.

Thanks again,

-Brenton

On Thu, May 10, 2018 at 8:35 AM Christian Fischer <
Post by Christian Fischer
Hi,
thanks for the IP. Was was able to reproduce this and can confirm that
this is definitely NOT a false positive.
If you open up the URL (which is now reported in the new version of the
plugin) you will find this vulnerable URL (replace example.com with the
https://example.com/?s=%22%20%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
the XSS gets triggered in your browser (as long as you're not using a
tool like NoScript or a Browser with build in XSS protection).
The embedded source code on the target page looks like the following
(there are four different places in the HTML where the JS is embedded,
<h1 class = 'results' ><span>0</span> Results For ""
<script>alert(document.cookie)</script>"</h1>
<a href="/?s=" ><script>alert(document.cookie)</script>">
<li class="results product-search-results"><a
href="/products/product-search/?product_name="
<script>alert(document.cookie)</script>&department-product-search=all-products"><span>0</span>
Products Found | View </a></li>
<input type="text" class="form-control" name="s" placeholder="Search"
autocomplete = 'off' ng-model="searchcrit" value="\"
<script>alert(document.cookie)</script>" >
Regards,
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 OsnabrÃŒck, Germany | AG OsnabrÃŒck, HR B 202460
GeschÀftsfÌhrer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Thanks for your responses.
I am troubleshooting a 3rd party vendor scanning a client's systems. I
don't have information on the versions they are using, but I can tell
you the information that I do have.
1) The scan target is 52.21.123.105
2) There's only one theme installed /wp-content/themes/mx-theme/
3) There are no other themes in /wp-content/themes/
4) The theme in question includes URL parameters in the HTML body, but
the html entities are properly escaped.
Any assistance is greatly appreciated.
Thanks again,
-Brenton
On Tue, May 8, 2018 at 3:11 AM, Christian Fischer
Hi *,
Hi,
Post by R. Brenton Strickler
Hi all,
I believe I've stumbled across a bug
in gb_wordpress_mult_themes_xss_vuln.nasl while reviewing a scan.
http://plugins.openvas.org/nasl.php?oid=802250
<http://plugins.openvas.org/nasl.php?oid=802250>
Post by R. Brenton Strickler
if(http_vuln_check(port: port, url: dir + xploits[xploit],
xploit, check_header:TRUE))
if(http_vuln_check(port: port, url: dir + xploits[xploit],
xploits[xploit], check_header:TRUE))
No, it's proper(should be xploit). Here we want check only executed
payload from the response.
Not payload along with the parameters.
Exactly. The checks are in a form of an array so on the first
iteration
xploit = ><script>alert\(document.cookie\)</script>
xploits[xploit] =
/?s=%22%20%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
thus the "http_vuln_check()" is requesting the url from
"xploits[xploit]" and then checks the response of that request
against
the regex pattern from "xploit".
May be other reason for reporting FP for you. If you provide more
details about installed
versions and responses from server, It will be easy to look into
this.
Additionally the question is if this is really a FP or is there any
Theme installed with might be still vulnerable to the same
vulnerability
but not described in that plugin?
The next feed-update (once the NVT reaches Revision r9750) the URL
where
the vulnerability was detected should be included in the report
output.
This might help you to gather more information on this.
Thanks,
Antu Sanadi
Post by R. Brenton Strickler
Thanks,
-Brenton
Regards,
_______________________________________________
Openvas-plugins mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
Loading...