Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • January 20, 2021 at 12:12 pm #1274011
    tol_kis

    We are using Acunetix scanner for our security testing. It shows us a vulnerability on sites with pagination. Is this a false positive, how can we fix this?

    HTTP Request:

    GET /support/knowledgebase_de/?%25%32%37%25%36%46%25%36%45%25%36%44%25%36%46%25%37%35%25%37%33%25%36%35%25%36%46%25%37%36%25%36%35%25%37%32%25%33%44%25%32%37%25%33%35%25%35%36%25%33%34%25%36%44%25%32%38%25%33%39%25%33%30%25%33%34%25%33%32%25%33%34%25%32%39%25%32%37%25%36%32%25%36%31%25%36%34%25%33%44%25%32%37 HTTP/1.1
Referer: https://www.XYZ.com/
Cookie: .....
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: www.XYZ.com
Connection: Keep-alive

    HTTP Response:

    <span class='av-structured-data'  itemprop="publisher" itemtype="https://schema.org/Organization" itemscope="itemscope" >
						<span itemprop='name'>USER123</span>
						<span itemprop='logo' itemscope itemtype='https://schema.org/ImageObject'>
							<span itemprop='url'>https://www.XYZ.com/wp-content/uploads/XYZ_Logo_250x78.png</span>
						 </span>
				</span><span class='av-structured-data'  itemprop="author" itemscope="itemscope" itemtype="https://schema.org/Person" ><span itemprop='name'>USER123</span></span><span class='av-structured-data'  itemprop="datePublished" datetime="2014-03-04T14:03:14+02:00" >2020-11-18 14:35:00</span><span class='av-structured-data'  itemprop="dateModified" itemtype="https://schema.org/dateModified" >2020-11-18 14:36:39</span><span class='av-structured-data'  itemprop="mainEntityOfPage" itemtype="https://schema.org/mainEntityOfPage" ><span itemprop='name'>Kein Autostart blabla</span></span></span></article></div></div><div class='pagination-wrap pagination-slider'><nav class='pagination'><span class='pagination-meta'>Seite 1 von 36</span><span class='current'>1</span><a href='https://www.XYZ.com/support/knowledgebase_de/?'onmouseover='5V4m(90424)'bad='&avia-element-paging=2' class='inactive next_page' >2</a><a href='https://www.XYZ.com/support/knowledgebase_de/?'onmouseover='5V4m(90424)'bad='&avia-element-paging=3' class='inactive' >3</a><a href='https://www.XYZ.com/support/knowledgebase_de/?'onmouseover='5V4m(90424)'bad='&avia-element-paging=2'>&rsaquo;</a><a href='https://www.XYZ.com/support/knowledgebase_de/?'onmouseover='5V4m(90424)'bad='&avia-element-paging=36'>&raquo;</a></nav>

    As you can see the injected code is not validated and is shown in the pagination:

    knowledgebase_de/?’onmouseover=’5V4m(90424)’bad=’&avia-element-paging=3′

    Regards
    Tobias

    January 22, 2021 at 12:28 pm #1274665
    Günter

    Hey Tobias,

    Thank you for using Enfold and reporting this.

    Could you please tell us the steps to reproduce this – so we can check?

    Normally WP should filter the query strings as far as I’m concerned – but I’m not a security expert.

    Best regards,
    Günter

    January 22, 2021 at 1:01 pm #1274678
    tol_kis

    Of course. I send you the links. Strange thing, we have affected and not affected pages on the same site.

    Just search in the source code for “onmouseover”.

    Source Code

    January 26, 2021 at 1:59 pm #1275482
    Günter

    Hi,

    Sorry for the late reply and thanks for the links.

    With the next version we added a fix for injecting paging reported in another similar case. Can you please try if this fixes your case also.

    In framework\php\function-set-avia-frontend.php around line 1401 (in function avia_which_archive() ) you find:

    
		if (isset($_GET['paged']) && !empty($_GET['paged']))
		{
			$output .= ' ('.__('Page','avia_framework').' '.$_GET['paged'].')';
		}

    Replace these lines with:

    
		if( isset( $_GET['paged'] ) && ! empty( $_GET['paged'] ) )
		{
			//	avoid xss vulnerability - e.g. injection of code
			$output .= is_numeric( $_GET['paged'] ) ? ' (' . __( 'Page', 'avia_framework' ) . ' ' . $_GET['paged'] . ')' : '';
		}

    Do not forget to make a backup of the originla file for a fallback and clear server and browser cache.
    If you want us to make the changes please provide WP admin and FTP access.

    Best regards,
    Günter

    January 26, 2021 at 2:27 pm #1275488
    tol_kis

    Thank you for the fix, I implemented it on the affected site. Unfortunately it doesn’t fix the issue.

    January 26, 2021 at 2:49 pm #1275498
    Günter

    Hi,

    Digging deeper: this seems to be a problem in WP core.

    We are using the standart WP function ‘get_pagenum_link’ to get and modify the result query string for paging. Adding your string above to a URI WP returns the injection unmodified from this function.

    In my opinion this should be handled by WP. Maybe you can try to open a ticket at WordPress.org and report it there?

    Best regards,
    Günter

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.