Reflected XSS of bbe-child-starter Theme via "value"-GET-parameter
State Resolved (Closed)
Disclosed publicly 2018-12-05T08:07:56.849Z
Reported To
Weakness Cross-site Scripting (XSS) - Reflected
Bounty $250
Collapse

Summary by chihuahua

Issue

The reporter found a vulnerability in the theme being used for the WP installation. This was a followup-report on #324442. The result was a reflected XSS.

Fix

The vulnerable functionality was restricted.

Reasoning

Running a system which potentially carries a lot of vulnerable endpoints and bad default settings is always a risk. Moreover, keeping track of potential vulnerabilities in themes is very tedious. Hardening should always be compulsory, but may not always be straightforward. While we do our best to be proactive in running our software securely, we do occasionally hit and miss. In this case, the reporter provided excellent value both from a technical point of view as well as explaining the potential impact. A learning opportunity for the occasional reader - put effort into things that matter to the organization you are reporting to.

Timeline
submitted a report to LocalTapiola .
2018-04-11T07:29:34.039Z

This bug is related to #324442. And xss in other url.

poc:

https://www.lahitapiolarahoitus.fi/wp-content/themes/bbe-child-starter/bbe-engine/assets/actions/bbe_open_htmleditor_popup.php?attribute=%27%3C/script%3E%3Cbody%20onload&value=alert(document.cookie)

Impact

-Make admin-user run malicious javascript which will then be used to access other WP-Admin functionalities --> Remote code execution --> Possibly piivoting to other hosts.
-Make other users run malicious javascript.
-Show spoofed content which can be used in social engineering attacks (such as fake login pages, fake invoices, face contact details, fake announcements etc.).

Regards,
Frans

localtapiola-thomas Activities::BugDuplicate
2018-04-11T08:46:45.405Z
We have looked at the issue you have reported and found it to be a duplicate of a previously reported issue. The previously reported issue may or may not not be publicly disclosed at this time. If the original report is not disclosed at this time, it may be disclosed later, at which time you can verify it. The simple answer to the question "if it is not publicly disclosed, how can I verify it" is, you have to trust us. We know what we are doing. According to our internal ways of working, we do not add reporters of duplicates to the original reports. The reasoning is as follows. For simple issues with low business value, so called "low hanging fruits", the necessity of verifying against the original is nonexistent - the issues are mostly self explanatory. For more complex issues, out of respect to the original reporter, we do not want to even privately disclose the tools or methods that have been used. For reference, this is the guideline by H1 on different options on how to handle duplicates: * https://support.hackerone.com/hc/en-us/articles/207786846-How-do-we-handle-duplicate-reports- If you want tips on how to avoid reporting duplicates, this resource might prove to be useful: * https://forum.bugcrowd.com/t/how-do-you-avoid-duplicates-in-a-bug-bounty-program/432


chihuahua Activities::Comment
2018-04-11T08:51:08.449Z
Hello ,This is not a duplicate and #324442 has been fixed. This is an xss that happens in another url.Please look carefully.


chihuahua Activities::Comment
2018-04-11T08:52:54.938Z
@localtapiola-thomas


localtapiola-thomas Activities::BugReopened
2018-04-11T08:53:04.608Z
hold on.


localtapiola-thomas Activities::BugTriaged
2018-04-11T09:12:12.919Z
Thanks a lot for reporting this potential issue back to us. LocalTapiola takes security very seriously and would appreciate if you would not share any information about this report until we have determined whether this is a bug and what any potential impact (or fix) will be. Our security team will take a look at this issue as soon as possible. We aim to respond to your report as soon as possible, but due to the complexity of the systems, triaging many times can take a long time. We prioritize issues - reports containing trivial issues with limited (or no) business impact and badly written reports with insufficient information on how to reproduce the issue receive a lower priority. Please do not request updates for at least 20 days into the process. Once triaged and verified, bounty decisions are made 1-2 times per month. *Note: if we frequently dismiss your reports, make sure you have read our policy and stay in scope and that you know how to write good reports - https://support.hackerone.com/hc/en-us/articles/211538803-Step-by-Step-How-to-write-a-good-vulnerability-report and http://blog.bugcrowd.com/advice-for-writing-a-great-vulnerability-report/. Also, our policy contains a lot of information on what is relevant and what is not.*


Activities::BountyAwarded
2018-04-11T09:13:33.385Z
Bounty awarded based on other similar cases.


localtapiola-thomas Activities::Comment
2018-04-23T14:18:32.177Z
Could you please retest this, and also report if any other parameters are vulnerable?


chihuahua Activities::Comment
2018-04-24T00:49:48.118Z
OK, I have tested it, this file has been restricted to visit.


localtapiola-thomas Activities::BugResolved
2018-04-27T14:00:51.217Z
Closing as resolved.


localtapiola-thomas Activities::AgreedOnGoingPublic
2018-04-28T10:16:28.668Z
We can do public disclosure.


localtapiola-thomas Activities::ReportSeverityUpdated
2018-04-28T10:17:14.632Z


chihuahua Activities::AgreedOnGoingPublic
2018-12-05T08:07:56.793Z


chihuahua Activities::ReportBecamePublic
2018-12-05T08:07:56.874Z