Stored XSS in WP Photo Album Plus 5.4.5

There is a (relatively minor) stored XSS vulnerability in WP Photo Album Plus (WPPA) 5.4.5.
WPPA maintains its own error log. When this error log is viewed through the web interface, its output is not sanitized. Regular users that have the ability to upload files to photo galleries can cause arbitrary data to be written to the log file. An easy way to demonstrate this is to upload a zip file containing a file named: <img src="ff" onerror="alert('xss');">
When you try to import the contents of the zip file, it produces an error containing the malicious file name that is logged. Things aren’t escaped properly on the upload/import pages either, resulting in the js running after the import attempt. The lack of proper sanitization on these pages results in a reflected XSS vulnerability as well, but with double and single quotes escaped with backslashes, so you may need to fiddle with it a bit to get it to do something useful.

http://wptestbox1.dev/wordpress/wp-admin/admin.php?page=wppa_import_photos&zip=<img src="ff" onerror=alert(0);>.zip


All throughout the upload/import pages full file paths are disclosed, and you have a limited ability to import image and zip files anywhere on the web server. The WPPA error log and users’ depots (where files are stored before they are imported to albums) are also directly accessible with no authentication necessary.

http://wptestbox1.dev/wordpress/wp-content/wppa-depot/admin/error.log
                case 'wppa_list_errorlog':
                        $filename = WPPA_CONTENT_PATH.'/wppa-depot/admin/error.log';
                        $result .= '
                                <h2>List of WPPA+ error messages <small>( Newest first )</small></h2>
                                <div style="float:left; clear:both; width:100%; overflow:auto; word-wrap:none; background-color:#f1f1f1; border:1px solid #ddd;" >';

                        if ( ! $file = @ fopen( $filename, 'r' ) ) {
                                $result .= __('There are no error log messages', 'wppa');
                        }
                        else {
                                $size = filesize( $filename );
                                $data = fread( $file, $size );
                                $messages = explode( "\n", $data );
                                $count = count( $messages );
                                $idx = $count - '2';
                                while ( $idx >= '0' ) {
                                        $result .= $messages[$idx].'<br />';
                                        $idx--;
                                }
                        }

                        $result .= '
                                </div><div style="clear:both;"></div>
                                ';
                        break;

Links:
WPPA plugin page on plugins.wordpress.org

Author: [email protected]

Leave a Reply