XSS Vulnerability in ALO Easy Mail Newsletter

Eventualo Forum » EasyMail v.2

XSS Vulnerability in ALO Easy Mail Newsletter

(23 posts) (10 voices)

Started 1 year ago by SkyWalker
Latest reply from alo

Tags:

XSS vulnerability

12 Next »

SkyWalker
Member

Hi,

I received the following alert from my Wordpress security scanner of an XSS vulnerability:

<blog url>?alo_em_opt_email=1&alo_em_opt_name=1&submit=Subscribe in those input arguments email and name.

Anybody know of a fix for this? The version I use is v2.2 I don't know too much about
PHP scripting.

Posted 1 year ago #
tough toad
Member

Just got this myself. Any resolution to this?

Your site has a XSS vulnerability that needs
to be corrected so that it does not easily get
hacked.

Page URL: http://www.anncharles.com?alo_em_opt_email%3D1%26alo_em_opt_name%3D1%26submit%3DSubscribe
Xss Info: Cross site scripting vulnerability found in args alo_em_opt_email, alo_em_opt_name, submit

Posted 1 year ago #
alo
Key Master

Thanks for the report. I'm uploading a new version (2.4.4) that should fix the vulnerabilities. It will be downloadable soon...

Posted 1 year ago #
alo
Key Master

You can see the changes in coming version 2.4.4 here on WP trac.
I hope it can fix the issue. Any test and help is appreciated.

Posted 1 year ago #
andreibexa
Member

dirty quick fix:
# alo-easymail-functions.php

function alo_em_add_subscriber - around line 752

CHANGE FROM:
$email = $fields['email'];

TO:
$email = esc_attr($fields['email']);
$fields['email'] = esc_attr($fields['email']);
$fields['name'] = esc_attr($fields['name']);

Posted 1 year ago #
alo
Key Master
Thanks andreibexa, but the escape of the fields is made some lines later by $wpdb->insert.
For everybody, here you are the vulnerability report sent to me:

we’ve found a Cross Site Scripting Bug in the alo-easymail Plugin
(http://wordpress.org/extend/plugins/alo-easymail/).
The flaw exists in the Newsletter Widget.
When the form is submitted without ajax using the normal form (ie by
disabling Javascript), the output of the parameters
alo_em_opt_name
alo_em_opt_email
are not encoded.

Sample Request:
POST / HTTP/1.1
[...]
alo_em_opt_name=%3casdf%3e&alo_em_opt_email=%3casdf%3e&submit=Abonnieren

Here the tags are written directly into the HTML Source Code.

When using the Ajax method, you can also insert HTML Tags
(Example response:
document.getElementById(‘alo_easymail_widget_feedback’).innerHTML =
‘
‘).
I have not checked the Text Parameters (alo_em_error_on_sending,
alo_em_error_email_activated, …) because i can not cause errors that
output these messages, but these Parameters should also be checked.

So into the coming version 2.4.4 I added these fixes:

1 - about the for submitted without javascript/ajax, I added this code in an action in a 'init' hook:
```
if ( !defined('DOING_AJAX') || ! DOING_AJAX )
        {
                if ( isset($_POST['alo_em_opt_name']) ) unset($_POST['alo_em_opt_name']);
                if ( isset($_POST['alo_em_opt_email']) ) unset($_POST['alo_em_opt_email']);
                // we do not unset 'submit' because its common name,
                // so it could be maybe used by other plugins: only a safe escape
                if ( isset($_POST['submit']) ) esc_sql($_POST['submit']);
        }
```
2 - about all the txt messages printed in javascript (alo_em_error_on_sending, alo_em_error_email_activated...) now all of them are escaped with esc_js/esc_sql.

You can see the changes in coming version 2.4.4 in this page on WP trac.
Posted 1 year ago #
Kevin
Member

I have what I thought was a stable wordpress installation until today. All the plugins are missing from the site. They are still in the plugin directory (/wp-content/plugins/) on the server. However, wordpress does not see any of them in the dashboard. Re installing a backup of my database did not help.

After making coffee, taking two Excedrin and prayer. I tried to re-install the plugins. !!"failed, directory exists"!!

I renamed the directory and re installed one of my plugins. The settings were all there! Hmmmmm. The database must be ok then.

Still does not explain why all the plugins disappeared from the dashboard. Could this be because of the XSS Vulnerability?

Posted 1 year ago #
Kevin
Member

Because of the issue I mentioned above I can not get to my address lists. I trust all my address lists are still there. I sure would like a new copy of easy mail newsletter to install to be able to see them to export them.

Posted 1 year ago #
sarahwhg
Member

Any idea when the fix will be released? I need to set up and send out a newsletter on a new site.

Thanks

Posted 1 year ago #
alo
Key Master

I hope it'll be downloadable in a couple of days...

Posted 1 year ago #
stuartshields
Member

Is it okay to keep activated if you don't use the widget?

Posted 1 year ago #
alo
Key Master

The form is included also in newsletter page, usually titled Newsletter, so you have to temporary unpublish it (you can make it as draft). Note that unsubscriptions will be not possible if the page is unpublish.

Posted 1 year ago #
TonyBellardi
Member

mammaia all'inglese :) si può sapere in Italiano cosa stia succedendo ? grazie.

Posted 1 year ago #
TonyBellardi
Member

io ho la Versione 2.4.3

Posted 1 year ago #
alo
Key Master

(Italian summary)
Ciao Tony, ho visto le tue email ma non ho avuto modo di leggerle e risponderti.
E' stata rilevata una vulnerabilità del mio plugin verso un possibile attacco xss. In pratica qualcuno potrebbe sfruttare il form di iscrizione alla newsletter per iniettare codice maligno e causare danni al blog.
Quindi, la soluzione migliore è: disattivare temporaneamente il plugin. Tra un paio di giorni dovrebbe essere disponibile la nuova versione corretta.
In alternativa, puoi tenere il plugin attivo ma devi: rimuovere il widget, impostare la pagina intitolata Newsletter come bozza. In questo modo il form non è accessibile e non ci dovrebbero essere rischi, ma non posso garantire.

Posted 1 year ago #
TonyBellardi
Member

arg ti spiego.. nelle mail ti spiegavo che starei inviando una newsletter proprio in questo momento a 10.500 iscritti... e ti chiedevo lumi avendo fatto: aggiungi destinatari in coda, la premessa è che avevo sempre inviato news al max a 200 utenti quindi inviavo subito. Sono ignorante in materia di newletter e mi chiedevo cosa dovessi vado dopo aver messo in coda i destinatari, premessa ulteriore è che da ieri ho la finestra di alert aperta senza che però mi mostri nulla se non la PAUSA, se guardo il movimento della connessione vedo che ricevo e invio pacchetti da 3 o 4 byte ogni secondo quindi penso stia lavorando...

diciamo questo due domande:

- cosa dovrò fare dopo aver messo i destinatari in coda ? un ulteriore invio ?
- cosa intendi per widget ? non ho widget della newsletter
- se metto in bozza la pagina newsletter l'invio della attuale newsletter può continuare ?

Posted 1 year ago #
TonyBellardi
Member

ho messo in bozza la pagina "newsletter".. e appunto non ho widget in home..

Posted 1 year ago #
alo
Key Master

@Tony, questo post è sulla vulnerabilità xss: ti rispondo via mail.

@Tony, this post is about the vulnerability xss: I'll answer about your issue via e-mail.

Posted 1 year ago #
alo
Key Master

@Kevin, sorry for delay. Did you check the permissions of /wp-content/plugins/ folder and its content?

For everybody, here you are last changes I submitted on WP trac.

Posted 1 year ago #
webdotcom
Member

@alo

First off, great plugin. Happy to see you being active and proactive towards any issues. Great job!

I was working on a tutorial which includes how to setup your plugin, but I can't download it to continue working on the tutorial.

Any chance to get a copy with what is in the trac? I'd appreciate it.

Thanks

Posted 1 year ago #

RSS feed for this topic

12 Next »

Reply »

You must log in to post.