PHP_SELFish Part 2 – Reflected XSS in Easy Social Icons
Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the PHP_SELF
variable. In yesterday’s post, we described another plugin, underConstruction, suffering from a similar vulnerability related to the use of PHP_SELF
.
On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations.
After 2 weeks without a response, we forwarded the issue to the WordPress plugins team on August 30, 2021. An initial patch, version 3.0.9, was released the next day, on August 31, 2021.
A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.
Newer versions of the plugin also contain patches for additional XSS vulnerabilities, and all Wordfence users are protected against these vulnerabilities by our firewall’s built-in XSS protection. If you’re not using Wordfence, we recommend that you immediately upgrade to version 3.1.3 of the Easy Social Icons plugin.
Affected Plugin: Easy Social Icons
Plugin Slug: easy-social-icons
Affected Versions: <= 3.0.8
CVE ID: CVE-2021-39322
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.3
The Easy Social Icons plugin options page contained a JavaScript designed to display a confirmation dialog when a user deleted an icon, and then redirect them to a URL that would perform the final deletion. It constructed this URL using the value of the $_SERVER['PHP_SELF']
variable. This differs slightly from yesterday’s vulnerability, which used $GLOBALS[‘PHP_SELF’]
.
function show_confirm(title, id) { var rpath1 = ""; var rpath2 = ""; var r=confirm('Are you confirm to delete "'+title+'"'); if (r==true) { rpath1 = '<?php echo $_SERVER['PHP_SELF'].'?page=cnss_social_icon_page'; ?>'; rpath2 = '&cnss-delete=y&id='+id; window.location = rpath1+rpath2; } }
The primary difference between $GLOBALS
and $_SERVER
is that $_SERVER
is a built-in PHP “superglobal” variable that holds values provided by the webserver (such as Apache or Nginx) while $GLOBALS
is a built-in PHP variable that holds the contents of all of PHP’s “superglobal” variables, including $_GET
and $_POST
, as well as the contents of $_SERVER
.
As with yesterday’s vulnerability, sites running Apache and modPHP store additional path information after the filename in PHP_SELF
by default, which means an attacker can add malicious JavaScript to the path itself. Since PHP_SELF
was echoed out in quotes inside an existing JavaScript, however, it was also necessary to close the existing script tag in order to exploit this vulnerability, e.g:
<siteURL>/wp-admin/admin.php//index"/></script><script>alert(/xss/);</script>?page=cnss_social_icon_page
While sites running on Apache+modPHP, which is an extremely common configuration, are most likely to be vulnerable, other configurations may be vulnerable as well depending on how they have been set up.
As with most reflected XSS vulnerabilities impacting WordPress, a crafted link could be used to execute JavaScript in an administrator’s session, which could be used to take over a site by adding a backdoor to a plugin or theme file or adding a malicious admin user.
Timeline
August 16, 2021 – Wordfence Threat Intelligence finds the vulnerability and attempts to contact the plugin developer. We release a firewall rule to protect Wordfence Premium users.
August 30, 2021 – After 2 weeks without a response we contact the WordPress plugins team.
August 31, 2021– A patched version of the plugin is made available.
September 15, 2021 – Sites running the free version of Wordfence receive the firewall rule.
Conclusion
In today’s article, we covered a reflected Cross-Site Scripting(XSS) vulnerability in the Easy Social Icons plugin which could be used to execute malicious JavaScript in an administrator’s session and take over a site.
Wordfence Premium users have been protected against this vulnerability since August 16, 2021. Sites still running the free version of Wordfence received the same protection on September 15, 2021. We strongly recommend updating to the latest version available, 3.1.3, as soon as possible, as it also contains additional fixes, though the Wordfence Firewall blocks exploitation of these additional vulnerabilities via its built-in XSS protection.
If you believe your site has been compromised as a result of this or any other attack, Wordfence offers professional Site Cleaning services. Our Security Analysts remove any malware found, and also determine the intrusion vector if possible, as well as providing recommendations to prevent future infections.
If anyone you know is using the Easy Social Icons plugin, please forward this article to them and encourage them to update. If you’d like to be alerted when we publish new threat research, you can join our mailing list on this page.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments