websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

DefenseCode ThunderScan SAST Advisory: WordPress All In One Schema.org Rich Snippets Plugin Security Vulnerability

D
DefenseCode
Wed, May 24, 2017 3:23 PM
          DefenseCode ThunderScan SAST Advisory
  WordPress All In One Schema.org Rich Snippets Plugin
                  Security Vulnerability

Advisory ID:    DC-2017-01-002
Advisory Title: WordPress All In One Schema.org Rich Snippets Plugin
Security Vulnerability
Advisory URL:    http://www.defensecode.com/advisories.php
Software:        WordPress All In One Schema.org Rich Snippets Plugin
Language:        PHP
Version:        1.4.1 and below
Vendor Status:    Vendor contacted, update released
Release Date:    2017/05/24
Risk:            Medium

  1. General Overview
    ===================
    During the security audit of All In One Schema.org Rich Snippets
    plugin for WordPress CMS, security vulnerability was discovered using
    DefenseCode ThunderScan application source code security analysis
    platform.

More information about ThunderScan is available at URL:
http://www.defensecode.com

  1. Software Overview
    ====================
    According to the developers, All In One Schema.org Rich Snippets is a
    WordPress plugin that is made to boost CTR, improve SEO and rankings,
    and support most of the content type. The authors claim it works
    perfectly with Google, Bing, Yahoo & Facebook.

According to wordpress.org, it has more than 50,000 active installs.

Homepage:
https://wordpress.org/plugins/all-in-one-schemaorg-rich-snippets/
https://www.brainstormforce.com/

  1. Vulnerability Description

---=
During the security analysis, ThunderScan discovered Cross-Site
Scripting vulnerability in All In One Schema.org Rich Snippets
WordPress plugin.

The Cross-Site Scripting vulnerability can enable the attacker to
construct the URL that contains malicious JavaScript code. If the
administrator of the site makes a request to such an URL, the
attacker's code will be executed, with unrestricted access to the
WordPress site in question. The attacker can entice the administrator
to visit the URL in various ways, including sending the URL by email,
posting it as a part of the comment on the vulnerable site or another
forum.

3.1 Cross-Site Scripting
Vulnerable Function:    echo()
Vulnerable Variable:    $_GET['bsf_send_label']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=rich_snippet_dashboard&bsf_force_send=true&bsf_send_label=<%2Fscript><script>alert(1)<%2Fscript>
File:                    all-in-one-schemaorg-rich-snippets\init.php

466    $label = $_GET['bsf_send_label'];
...
471    $('td.savesend input').val('<?php echo $label; ?>');

  1. Solution
    ===========
    Vendor resolved the security issues after we reported the
    vulnerability. All users are strongly advised to update WordPress All
    In One Schema.org Rich Snippets plugin to the latest available version

  2. Credits
    ==========
    Discovered with DefenseCode ThunderScan Source Code Security Analyzer
    by Neven Biruski.

  3. Disclosure Timeline
    ======================
    2017/03/28    Vendor contacted
    2017/03/29    Vendor responded
    2017/05/24    Advisory released to the public

  4. About DefenseCode
    ====================
    DefenseCode L.L.C. delivers products and services designed to analyze
    and test web, desktop and mobile applications for security
    vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website
http://www.defensecode.com/ .

E-mail: defensecode[at]defensecode.com

Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/

DefenseCode ThunderScan SAST Advisory WordPress All In One Schema.org Rich Snippets Plugin Security Vulnerability Advisory ID: DC-2017-01-002 Advisory Title: WordPress All In One Schema.org Rich Snippets Plugin Security Vulnerability Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress All In One Schema.org Rich Snippets Plugin Language: PHP Version: 1.4.1 and below Vendor Status: Vendor contacted, update released Release Date: 2017/05/24 Risk: Medium 1. General Overview =================== During the security audit of All In One Schema.org Rich Snippets plugin for WordPress CMS, security vulnerability was discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview ==================== According to the developers, All In One Schema.org Rich Snippets is a WordPress plugin that is made to boost CTR, improve SEO and rankings, and support most of the content type. The authors claim it works perfectly with Google, Bing, Yahoo & Facebook. According to wordpress.org, it has more than 50,000 active installs. Homepage: https://wordpress.org/plugins/all-in-one-schemaorg-rich-snippets/ https://www.brainstormforce.com/ 3. Vulnerability Description ================================== During the security analysis, ThunderScan discovered Cross-Site Scripting vulnerability in All In One Schema.org Rich Snippets WordPress plugin. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. 3.1 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_GET['bsf_send_label'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=rich_snippet_dashboard&bsf_force_send=true&bsf_send_label=<%2Fscript><script>alert(1)<%2Fscript> File: all-in-one-schemaorg-rich-snippets\init.php --------- 466 $label = $_GET['bsf_send_label']; ... 471 $('td.savesend input').val('<?php echo $label; ?>'); --------- 4. Solution =========== Vendor resolved the security issues after we reported the vulnerability. All users are strongly advised to update WordPress All In One Schema.org Rich Snippets plugin to the latest available version 5. Credits ========== Discovered with DefenseCode ThunderScan Source Code Security Analyzer by Neven Biruski. 6. Disclosure Timeline ====================== 2017/03/28 Vendor contacted 2017/03/29 Vendor responded 2017/05/24 Advisory released to the public 7. About DefenseCode ==================== DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ . E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com Twitter: https://twitter.com/DefenseCode/
NB
Naveem B
Wed, May 24, 2017 3:38 PM

Please unsubscribe me from this mailing list.

On 24 May 2017 8:55 p.m., "DefenseCode" defensecode@defensecode.com wrote:

           DefenseCode ThunderScan SAST Advisory
   WordPress All In One Schema.org Rich Snippets Plugin
                   Security Vulnerability

Advisory ID:    DC-2017-01-002
Advisory Title: WordPress All In One Schema.org Rich Snippets Plugin
Security Vulnerability
Advisory URL:    http://www.defensecode.com/advisories.php
Software:        WordPress All In One Schema.org Rich Snippets Plugin
Language:        PHP
Version:        1.4.1 and below
Vendor Status:    Vendor contacted, update released
Release Date:    2017/05/24
Risk:            Medium

  1. General Overview
    ===================
    During the security audit of All In One Schema.org Rich Snippets
    plugin for WordPress CMS, security vulnerability was discovered using
    DefenseCode ThunderScan application source code security analysis
    platform.

More information about ThunderScan is available at URL:
http://www.defensecode.com

  1. Software Overview
    ====================
    According to the developers, All In One Schema.org Rich Snippets is a
    WordPress plugin that is made to boost CTR, improve SEO and rankings,
    and support most of the content type. The authors claim it works
    perfectly with Google, Bing, Yahoo & Facebook.

According to wordpress.org, it has more than 50,000 active installs.

Homepage:
https://wordpress.org/plugins/all-in-one-schemaorg-rich-snippets/
https://www.brainstormforce.com/

  1. Vulnerability Description

---=
During the security analysis, ThunderScan discovered Cross-Site
Scripting vulnerability in All In One Schema.org Rich Snippets
WordPress plugin.

The Cross-Site Scripting vulnerability can enable the attacker to
construct the URL that contains malicious JavaScript code. If the
administrator of the site makes a request to such an URL, the
attacker's code will be executed, with unrestricted access to the
WordPress site in question. The attacker can entice the administrator
to visit the URL in various ways, including sending the URL by email,
posting it as a part of the comment on the vulnerable site or another
forum.

3.1 Cross-Site Scripting
Vulnerable Function:    echo()
Vulnerable Variable:    $GET['bsf_send_label']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=rich

snippet_dashboard&bsf_force_send=true&bsf_send_label=<%
2Fscript><script>alert(1)<%2Fscript>
File:                    all-in-one-schemaorg-rich-snippets\init.php

 466    $label = $_GET['bsf_send_label'];
 ...
 471    $('td.savesend input').val('<?php echo $label; ?>');

  1. Solution
    ===========
    Vendor resolved the security issues after we reported the
    vulnerability. All users are strongly advised to update WordPress All
    In One Schema.org Rich Snippets plugin to the latest available version

  2. Credits
    ==========
    Discovered with DefenseCode ThunderScan Source Code Security Analyzer
    by Neven Biruski.

  3. Disclosure Timeline
    ======================
    2017/03/28    Vendor contacted
    2017/03/29    Vendor responded
    2017/05/24    Advisory released to the public

  4. About DefenseCode
    ====================
    DefenseCode L.L.C. delivers products and services designed to analyze
    and test web, desktop and mobile applications for security
    vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website
http://www.defensecode.com/ .

E-mail: defensecode[at]defensecode.com

Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/


The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_
lists.webappsec.org

Please unsubscribe me from this mailing list. On 24 May 2017 8:55 p.m., "DefenseCode" <defensecode@defensecode.com> wrote: > > DefenseCode ThunderScan SAST Advisory > WordPress All In One Schema.org Rich Snippets Plugin > Security Vulnerability > > > Advisory ID: DC-2017-01-002 > Advisory Title: WordPress All In One Schema.org Rich Snippets Plugin > Security Vulnerability > Advisory URL: http://www.defensecode.com/advisories.php > Software: WordPress All In One Schema.org Rich Snippets Plugin > Language: PHP > Version: 1.4.1 and below > Vendor Status: Vendor contacted, update released > Release Date: 2017/05/24 > Risk: Medium > > > > 1. General Overview > =================== > During the security audit of All In One Schema.org Rich Snippets > plugin for WordPress CMS, security vulnerability was discovered using > DefenseCode ThunderScan application source code security analysis > platform. > > More information about ThunderScan is available at URL: > http://www.defensecode.com > > > 2. Software Overview > ==================== > According to the developers, All In One Schema.org Rich Snippets is a > WordPress plugin that is made to boost CTR, improve SEO and rankings, > and support most of the content type. The authors claim it works > perfectly with Google, Bing, Yahoo & Facebook. > > According to wordpress.org, it has more than 50,000 active installs. > > Homepage: > https://wordpress.org/plugins/all-in-one-schemaorg-rich-snippets/ > https://www.brainstormforce.com/ > > > 3. Vulnerability Description > ================================== > During the security analysis, ThunderScan discovered Cross-Site > Scripting vulnerability in All In One Schema.org Rich Snippets > WordPress plugin. > > The Cross-Site Scripting vulnerability can enable the attacker to > construct the URL that contains malicious JavaScript code. If the > administrator of the site makes a request to such an URL, the > attacker's code will be executed, with unrestricted access to the > WordPress site in question. The attacker can entice the administrator > to visit the URL in various ways, including sending the URL by email, > posting it as a part of the comment on the vulnerable site or another > forum. > > 3.1 Cross-Site Scripting > Vulnerable Function: echo() > Vulnerable Variable: $_GET['bsf_send_label'] > Vulnerable URL: > http://vulnerablesite.com/wp-admin/admin.php?page=rich_ > snippet_dashboard&bsf_force_send=true&bsf_send_label=<% > 2Fscript><script>alert(1)<%2Fscript> > File: all-in-one-schemaorg-rich-snippets\init.php > --------- > 466 $label = $_GET['bsf_send_label']; > ... > 471 $('td.savesend input').val('<?php echo $label; ?>'); > --------- > > > 4. Solution > =========== > Vendor resolved the security issues after we reported the > vulnerability. All users are strongly advised to update WordPress All > In One Schema.org Rich Snippets plugin to the latest available version > > > 5. Credits > ========== > Discovered with DefenseCode ThunderScan Source Code Security Analyzer > by Neven Biruski. > > > 6. Disclosure Timeline > ====================== > 2017/03/28 Vendor contacted > 2017/03/29 Vendor responded > 2017/05/24 Advisory released to the public > > > 7. About DefenseCode > ==================== > DefenseCode L.L.C. delivers products and services designed to analyze > and test web, desktop and mobile applications for security > vulnerabilities. > > DefenseCode ThunderScan is a SAST (Static Application Security > Testing, WhiteBox Testing) solution for performing extensive security > audits of application source code. ThunderScan SAST performs fast and > accurate analyses of large and complex source code projects delivering > precise results and low false positive rate. > > DefenseCode WebScanner is a DAST (Dynamic Application Security > Testing, BlackBox Testing) solution for comprehensive security audits > of active web applications. WebScanner will test a website's security > by carrying out a large number of attacks using the most advanced > techniques, just as a real attacker would. > > Subscribe for free software trial on our website > http://www.defensecode.com/ . > > E-mail: defensecode[at]defensecode.com > > Website: http://www.defensecode.com > Twitter: https://twitter.com/DefenseCode/ > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_ > lists.webappsec.org >