Post Thu Aug 29, 2013 3:42 pm

HTB23161: XSS in BackWPup WordPress Plugin

Advisory ID: HTB23161
Product: BackWPup WordPress Plugin
Vendor: Inpsyde GmbH
Vulnerable Versions: 3.0.12 and probably prior
Tested Version: 3.0.12
Vendor Notification: June 19, 2013
Vendor Fix: August 12, 2013
Public Disclosure: August 21, 2013
Latest Update: August 13, 2013
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-4626
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab

Advisory Details:
High-Tech Bridge Security Research Lab discovered XSS vulnerability in BackWPup WordPress Plugin, which can be exploited to perform cross-site scripting attacks against administrator of vulnerable application.

1) Cross-Site Scripting (XSS) in BackWPup WordPress Plugin: CVE-2013-4626
The vulnerability exists due to insufficient filtration of user-supplied data in "tab" HTTP GET parameter passed to "/wp-admin/admin.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses "alert()" JavaScript function to display administrator's cookies:
http://[host]/wp-admin/admin.php?page=backwpupeditjob&tab=%22%3E%3Cscript%3Ealert%28document.cookie% 29;%3C/script%3E

Solution:
Upgrade to BackWPup 3.0.13

More Information:
http://wordpress.org/plugins/backwpup/changelog/

References:
[1] High-Tech Bridge Advisory HTB23161 - https://www.htbridge.com/advisory/HTB23161 - Cross-Site Scripting (XSS) in BackWPup WordPress Plugin.
[2] BackWPup WordPress Plugin - http://wordpress.org/plugins/backwpup/ - BackWPup is the All-in-One backup solution for WordPress.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.