Democracy 2.0.1 HTML Injection Vulnerability

Posted by DK
January 16, 2008

Intro

Democracy is a popular AJAX driven voting plugin for WordPress.

BlogSecurity found a vulnerability in the latest version of Democracy (2.0.1) that may allow attackers to hijack your admin/user accounts as well as a vast number of other attack vectors.

Proof of concept (test your blog):

http://wordpress.dom/blah’style=xss:expression(alert(document.cookie)); (Tested on IE7)
OR
http://wordpress.dom/blah’onMouseOver=javascript:alert(document.cookie);// (Testing on Firebox & IE)

This proof of concept exploits above can be used to test for vulnerable blogs.

How to fix?

Go to your democracy plugin directory and edit class.php.

Vulnerable code: in class.php (Line 166)
$url = htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’, ‘dem_poll_id’ => $this->id)));

Change to:
$url = htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’, ‘dem_poll_id’ => $this->id)), ENT_QUOTES);

Double quotes are escaped but single quotes aren’t. As single quotes are used in $url, we can append malicious code.As a fix, we simply use htmlspecialchars() with ENT_QUOTES.

Summary

The Democracy author was contacted initially on the 31 December, and then again at the beginning of last week. As we have not heard anything in over 15 days, we are releasing the advisory along with a fix.

David Kierznowski is credited for the find.

Advisories, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Pingback by BOK » Blog Archive » QotD - 5 on January 16, 2008 @ 2:34 pm

[...] installed a polling plugin (and fixed it), so let’s make this a democratic process! Would you pay $20 / €18 for the extra iPod [...]

Comment by dre on January 16, 2008 @ 5:10 pm

don’t you run the Democracy plugin on this blog? did you find this from dynamically testing or did you find it in the code?

Comment by DK on January 16, 2008 @ 11:25 pm

dre, I found it on BlogSec yes.

Comment by BOK on January 17, 2008 @ 12:54 pm

Plugin removed after minor issues. Searching for solutions showed that this plugin has a long reputation of weird issues and author’s support is minor…
Taken the possible insecurity-issue (though fixed here) I came to my descision.

Comment by Aaron Brazell on January 18, 2008 @ 4:58 pm

I released the original exploit a year and a half ago, so hi, welcome to the fraternity of Democracy exploit finders. We’re a small and humble bunch. ;-)

I can’t get this to work though. Maybe I’m missing something. My team has tested on all major browsers and on Macs and PCs. Can you elaborate on the trick here? Or contact me privately and we can look at some specific cases.

Comment by DK on January 18, 2008 @ 5:46 pm

Aaron, you asked for it :):
Try (in IE7)

http://www.problogger.net/’style=xss:expression(alert(document.cookie));//

You may have to force close your IE afterwards though, so be prepared :)

Note: you may need to replace the single quote manually, as a direct copy and paste may not work.

Leave a comment

(required)

(required)