Author: Antony Garand

Reflected XSS in Cookiebot Administrative Page

A reflected XSS vulnerability has recently been found in the Cookiebot plugin plugin, impacting a user base of over 40k installs. Versions prior to 3.6.1 are susceptible to this attack, which allows hackers to exploit the vulnerability found on administrative pages.

This vulnerability is caused by the manual tabs mechanism, which tries to add a class to the form with the current tab. 

<?php if ( isset( $_GET['tab'] ) ) {
     $active_tab = $_GET['tab'];
} else if ( $active_tab == 'unavailable_addons' ) {
     $active_tab = 'unavailable_addons';
} else {
     $active_tab = 'available_addons';
} ?>

// ...

<form method="post" action="options.php" class="<?php echo $active_tab; ?>">

The issue lies in the fact that only two tab types should be present: available_addons or unavailable_addons. These values are never checked, however, and are directly inserted into the form class attribute.

This improper implementation leads to the potential for a reflected cross-site scripting attack which relies on human behavior - such as an administrator visiting a link.
If the website administrator visits an attacker’s specially crafted URL, the bad actor may be able to compromise and take over the website.

Timeline:

  • 2020-03-11: Initial disclosure
  • 2020-03-12: Version 3.6.1 released

Mitigation Steps:

Websites using Cookiebot versions lower than 3.6.1 should update their plugins to the latest patch immediately to mitigate risk. As always, customers using our WAF are protected from this issue with our virtual patching technology.

 

Mar 23, 2020 by Antony Garand

Reflected XSS in Advanced Ads Admin Dashboard

A patch for a vulnerability in the Advanced Ads plugin has been released. Prior to version 1.17.4, attackers were able to exploit two reflected XSS attacks via the admin dashboard.

Both vulnerabilities are related to the advads-last-edited-group property, which should normally be a number.

As the argument in this property was not sanitized, a malicious payload can be injected into websites using vulnerable versions of this plugin, causing up to two reflected XSS on the page. 

$last_edited_group_id = 0;
if ( isset( $_REQUEST['advads-last-edited-group'] ) ) {
        $last_edited_group_id = $_REQUEST['advads-last-edited-group'];
        ?>
        <script>
                var body = document.getElementsByTagName("body")[0];
                body.addEventListener("load", function(){
                        jQuery('#advads-ad-group-<?php echo $last_edited_group_id; ?>').get(0).scrollIntoView(false);
                }, true);
        </script>
        <?php
}// ...
<div id="advads-ad-group-list">
        <form action="" method="post" id="advads-form-groups">
                <?php wp_nonce_field( 'update-advads-groups', 'advads-group-update-nonce' ); ?>
                <table class="wp-list-table widefat fixed adgroups">
                        <?php $ad_groups_list->render_header(); ?>
                        <?php $ad_groups_list->render_rows(); ?>
                </table>
<input type="hidden" name="advads-last-edited-group" id="advads-last-edited-group" value="<?php echo $last_edited_group_id; ?>"/>
                <div class="tablenav bottom">
                        <?php submit_button( __( 'Update Groups', 'advanced-ads' ) ); ?>
                </div>
        </form>
</div>

If a website administrator visits an attacker’s specially crafted link, the bad actor may be able to gain access to the compromised environment and obtain access to the account.

Timeline:

  • 2020-03-08: Initial disclosure
  • 2020-03-09: Update provided by the developer
  • 2020-03-09: Version 1.17.4 released

Mitigation Steps:

Websites with Ads Admin versions lower than 1.17.4 should update their plugins to the latest patch immediately to mitigate risk. As always, customers using our WAF are protected from this issue with our virtual patching technology.

 

Mar 17, 2020 by Antony Garand