3. Once saved that file was accessible from the gist URL shown below:
https://gist.github.com/cornerpirate/42a96c5f059796086340d39bfb63eff8
4. Obtain the “raw” link to that content using the button as shown below:
Figure 1 – Raw button shown on gist UI
5. This gave a URL like the one shown below:
6. Create a new blog post and add a shortcode similar to the one shown below:
[gist id='cornerpirate/42a96c5f059796086340d39bfb63eff8/raw/56dacb78320139aaedfefdfe62eb92aa2748a355/anything']
Note: this used the URL to the raw version of the file saved on gist but with the “.json” part omitted.
Having followed the above steps as a contributor level user the injected JavaScript command will execute whenever the post is previewed or viewed as shown below:
Figure 2 – XSS Confirmed
This functionality can be exploited by a contributor user who can create blog posts. That is a low privileged user account and typically a higher privileged user will be required to approve the post. This can be used to affect a privilege escalation by using JavaScript to execute commands on WordPress within the privileges of the higher user.
Risk Analysis
Risk Category: High
CVSSv3.1 Score: 5.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Explanation: XSS can pose a significant risk. Due to the likely use for privilege escalation in WordPress the risk categorisation of “high” was believed to be appropriate.
Recommendation
In this case the solution is to add input validation to prevent invalid gist “id” values. There is an expected format for these ids. An example id is shown below:
42a96c5f059796086340d39bfb63eff8
The intended value contained only characters in the 0-9 and a-f character sets. Additionally, the length of the id was 32 characters long.
Gistpress should be updated to validate the “id” value matching that standard before attempting to download content. This would prevent the vulnerability.
Vendor Response
The gistpress project lead responded positively to the disclosure and patched the project as per this update.
The key part of the update is illustrated in Figure 3:
Figure 3 – Validation Added
The patch worked by using “preg_replace” to remove any non-alphanumeric characters from the “id” parameter value.
Advise was provided stating that data sanitisation is not the most secure approach. The preferred solution should halt processing of the request if the “id” format is invalid. However, the XSS attack appeared adequately mitigated because the payload relied on the presence of the forward slash (“/”) character.
The vulnerability had been mitigated by version 3.0.2 of gistpress.
Affected Item
The affected item was:
- Gistpress shortcode handling of the “id” parameter.
- In version 3.0.1 and lower