MoBiC-23 Bonus: XSS in Math Comment Spam Protection
22:54 23.11.2007Continue our talk about last participant of the project - Math Comment Spam Protection. It is captcha plugin for WordPress. Vulnerable version is Math Comment Spam Protection 2.1 (and previous versions).
This captcha in addition to Insufficient Anti-automation is also vulnerable for XSS (like Peter’s Random Anti-Spam Image captcha). These Cross-Site Scripting holes I found 22.11.2007.
There are two XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=math-comment-spam-protection.php) in parameters mcsp_opt_msg_no_answer and mcsp_opt_msg_wrong_answer. For attacking you need to make CSRF + XSS attack (for both holes) - with CSRF you put XSS code into database (by admin). And then admin or any visitor of the site by posting comment with empty or incorrect captcha value, or you will trick him to do that, will be attacked.
XSS:
1. Attack on mcsp_opt_msg_no_answer value.
Math Comment Spam Protection CSRF.html
Math Comment Spam Protection XSS.html
2. Attack on mcsp_opt_msg_wrong_answer value.
Math Comment Spam Protection CSRF2.html
Math Comment Spam Protection XSS2.html
These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.
You need to setup exploits to test them (set site’s URL and others data).
Moral: always make more secure captchas and without XSS holes.
Середа, 01:15 28.11.2007
Why don’t you inform the plugin’s authors about your findings? Fortunately, a blogger has informed me about your article.
A fixed plugin version is available in the meantime, version 2.2. Not yet available at wordpress.org though since it takes a while until their website script updates the latest uploads, however available at the plugin’s website.
Неділя, 23:45 02.12.2007
Michael
I didn’t inform you about holes in your plugin yet because of a few reasons. 1st - because of lack of time (I’m very busy man and I was overloaded with my MoBiC project). And 2nd - because in Month of Bugs in Captchas project I decided not to inform all captchas developers in November, but to inform them in December (on the other hand I announced my project in October). It’s because of time which need to inform every captchas developers (in whose captchas I found holes) and also because of the idea of project, that developers must themselves watch to security of their captchas. Which is very easy with my project where I posted holes in captchas only, so no need to watch many sources, just watch my MoBiC project to find if your captcha is vulnerable, and if it is to fix it.
But in any case I was trying to inform beforehand users of those captchas which will be in my project. In case of your plugin I informed admin of blog at tehposse.org (which use Math Comment Spam Protection).
And it is good, that you found this article (which was made for you and for every user of plugin) and already fixed the XSS holes. When I’ll find time I maybe look at new version of your plugin (to check how it was fixed).
But, Michael, as I see from you comment and from post at your site, you fixed only XSS holes. But it’s only bonus post about XSS holes in Math Comment Spam Protection. The main post is about Insufficient Anti-automation hole in your plugin - it’s about bypassing captcha, which is main topic of MoBiC project. Did you read that article? I see you didn’t. I recommend you to read it too and to fix the hole.