[WEB SECURITY] DefenseCode ThunderScan SAST Advisory: WordPress All In One Schema.org Rich Snippets Plugin Security Vulnerability

Naveem B nayeemb at gmail.com
Wed May 24 11:38:25 EDT 2017


Please unsubscribe me from this mailing list.

On 24 May 2017 8:55 p.m., "DefenseCode" <defensecode at defensecode.com> wrote:

>
>               DefenseCode ThunderScan SAST Advisory
>       WordPress All In One Schema.org Rich Snippets Plugin
>                       Security Vulnerability
>
>
> Advisory ID:    DC-2017-01-002
> Advisory Title: WordPress All In One Schema.org Rich Snippets Plugin
>  Security Vulnerability
> Advisory URL:     http://www.defensecode.com/advisories.php
> Software:         WordPress All In One Schema.org Rich Snippets Plugin
> Language:        PHP
> Version:        1.4.1 and below
> Vendor Status:    Vendor contacted, update released
> Release Date:    2017/05/24
> Risk:            Medium
>
>
>
> 1. General Overview
> ===================
> During the security audit of All In One Schema.org Rich Snippets
> plugin for WordPress CMS, security vulnerability was discovered using
> DefenseCode ThunderScan application source code security analysis
> platform.
>
> More information about ThunderScan is available at URL:
> http://www.defensecode.com
>
>
> 2. Software Overview
> ====================
> According to the developers, All In One Schema.org Rich Snippets is a
> WordPress plugin that is made to boost CTR, improve SEO and rankings,
> and support most of the content type. The authors claim it works
> perfectly with Google, Bing, Yahoo & Facebook.
>
> According to wordpress.org, it has more than 50,000 active installs.
>
> Homepage:
> https://wordpress.org/plugins/all-in-one-schemaorg-rich-snippets/
> https://www.brainstormforce.com/
>
>
> 3. Vulnerability Description
> ==================================
> During the security analysis, ThunderScan discovered Cross-Site
> Scripting vulnerability in All In One Schema.org Rich Snippets
> WordPress plugin.
>
> The Cross-Site Scripting vulnerability can enable the attacker to
> construct the URL that contains malicious JavaScript code. If the
> administrator of the site makes a request to such an URL, the
> attacker's code will be executed, with unrestricted access to the
> WordPress site in question. The attacker can entice the administrator
> to visit the URL in various ways, including sending the URL by email,
> posting it as a part of the comment on the vulnerable site or another
> forum.
>
> 3.1 Cross-Site Scripting
>   Vulnerable Function:    echo()
>   Vulnerable Variable:    $_GET['bsf_send_label']
>   Vulnerable URL:
> http://vulnerablesite.com/wp-admin/admin.php?page=rich_
> snippet_dashboard&bsf_force_send=true&bsf_send_label=<%
> 2Fscript><script>alert(1)<%2Fscript>
>   File:                    all-in-one-schemaorg-rich-snippets\init.php
>   ---------
>     466    $label = $_GET['bsf_send_label'];
>     ...
>     471    $('td.savesend input').val('<?php echo $label; ?>');
>   ---------
>
>
> 4. Solution
> ===========
> Vendor resolved the security issues after we reported the
> vulnerability. All users are strongly advised to update WordPress All
> In One Schema.org Rich Snippets plugin to the latest available version
>
>
> 5. Credits
> ==========
> Discovered with DefenseCode ThunderScan Source Code Security Analyzer
> by Neven Biruski.
>
>
> 6. Disclosure Timeline
> ======================
> 2017/03/28    Vendor contacted
> 2017/03/29    Vendor responded
> 2017/05/24    Advisory released to the public
>
>
> 7. About DefenseCode
> ====================
> DefenseCode L.L.C. delivers products and services designed to analyze
> and test web, desktop and mobile applications for security
> vulnerabilities.
>
> DefenseCode ThunderScan is a SAST (Static Application Security
> Testing, WhiteBox Testing) solution for performing extensive security
> audits of application source code. ThunderScan SAST performs fast and
> accurate analyses of large and complex source code projects delivering
> precise results and low false positive rate.
>
> DefenseCode WebScanner is a DAST (Dynamic Application Security
> Testing, BlackBox Testing) solution for comprehensive security audits
> of active web applications. WebScanner will test a website's security
> by carrying out a large number of attacks using the most advanced
> techniques, just as a real attacker would.
>
> Subscribe for free software trial on our website
> http://www.defensecode.com/ .
>
> E-mail: defensecode[at]defensecode.com
>
> Website: http://www.defensecode.com
> Twitter: https://twitter.com/DefenseCode/
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_
> lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20170524/2be1d4c3/attachment-0002.html>


More information about the websecurity mailing list