Registration Magic Multiple Unauthenticated XSS Vulnerabilities (Version 4.6.0.0)

Registration Magic Version 4.6.0.0 (Multiple XSS Vulnerabilities)


Background

After discovering two new WordPress Plugin vulnerabilities on a recent web application penetration test (which were authenticated and difficult to weaponise) I decided to go in search for some higher ticket WordPress Plugin vulnerabilities in my spare time. I started downloading registration form and forum building plugins, as these are more likely to contain unauthenticated or customer-facing vulnerabilities.

It really did not take that long.  About 10minutes from installing the first plugin to be exact.

 

Introducing RegistrationMagic – Custom Registration Forms and User Login version 4.6.0.0 a form building plugin which allows users to create custom login forms, contact forms and other form-based software ideas. However, the vulnerability in the discussion above would need authentication as an administrator to be useful. I had a feeling that a more useful bug could be found in this plugin so started building forms and adding them into my lab.


Technical Details

Unauthenticated Stored (XSS) on Contact Form

Here you can see the XSS being injected into the Name field of a contact form generated by Registration Magic.

Next, we go to the contact form and select to view the submissions.


Uh Oh…..so an unauthenticated user can make a submission into one of these generated contact forms and run code inside the administrators’ browser and potentially steal session tokens. Anyone running this plugin could easily lose access to their site.


Reflected XSS on Multiple Parameters

Next, we have more XSS vulnerabilities which were discovered during fuzzing.

 http://192.168.0.34/rm_submissions/?%22%3E%3Cscript%3Ealert(%27Vulnerable%20XSS%27)%3C%2fscript%3Exolca=1

http://192.168.0.31/wp-admin/admin.php?page=rm_form_sett_manage&rm_form_id=607h4knr%22%3e%3cscript%3ealert(1)%3c%2fscript%3edsukr

The following parameters were also affected by XSS inside the application.

 rm_form_id, form_name,Textarea_, TextBox_

Code Breakdown

Plenty of places in the code parameter values are being taken by the application without proper validation checks. I am going to outline a few examples now.

Here we can see in the comments “take value from various variables and reload pages with those updated”, but there is no validation controls and using an interceptor such as burp we can modify the rm_form_id content in the dropdown.

//Takes value of various status variables (form_id, timeline_range) and reloads page with those parameteres updated.
function rm_refresh_stats(){
var form_id = jQuery('#rm_form_dropdown').val();
var trange = jQuery('#rm_stat_timerange').val();
if(typeof trange == 'undefined')
trange = ;
window.location = '?page=rm_analytics_show_form&rm_form_id=' + form_id + '&rm_tr='+trange;

Here we can see the form_id is being grabbed which is later echo’d into the application browser

$form_id= $_GET['form_id']

Remediation

Update to the latest version of Registration Magic.

PART 2 – SQL Injection