[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Fancy Product Designer for WooCommerce - Stored XSS via SVG upload

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Fancy Product Designer for WooCommerce - Stored XSS via SVG upload
From: Jonathan Gregson via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Sun, 15 Nov 2020 19:10:14 +0000

## About Fancy Product Designer for WooCommerce
Fancy Product Designer for WooCommerce is a WordPress plugin which allows users 
to design custom products in a vendor's WooCommerce store. It is sold through 
the third-party marketplace "Envato Market" and boasts over 15,000 sales.

## Stored XSS via SVG upload
Fancy Product Designer for WooCommerce before version 4.5.1 permits the upload 
of unsanitized SVG files by unauthenticated users. SVG files can contain 
JavaScript which will be executed by the browser if the malicious SVG is 
accessed directly. This JavaScript will run in the context of the affected 
domain and logged in user.

The "Require Login" setting in FPD before version 4.5.1 does not succeed in 
requiring users to be logged in to upload files, meaning any unauthenticated 
user can exploit this vulnerability.

### Details
To exploit this vulnerability, an attacker needs to upload a specially crafted 
SVG using Fancy Product Designer and convince a logged-in user or admin to 
access the SVG. Once accessed, the browser will execute the JavaScript payload 
in the context of the user or admin on the affected domain.

### Impact
This vulnerability can result in the takeover of any user's account on the 
affected domain. If an SVG containing a stored XSS payload is opened by a 
logged in administrator, it could lead to the compromise of the entire site. If 
opened by an anonymous user, it could attempt to phish the user's credentials 
by imitating a WordPress login page.

SVGs accessed in this way can trivially read out current `_wpnonce` values, 
giving an attacker unfettered access to the entire WordPress API of an affected 
site.

### Proof of Concept
 - Account takeover SVG: 
[change-user-email.svg](https://github.com/jdgregson/Disclosures/blob/master/fancy-product-designer/stored-xss-via-svg-upload/change-user-email.svg)
 - Demo video: 
[stored-xss-account-takover.mp4](https://raw.githubusercontent.com/jdgregson/Disclosures/master/fancy-product-designer/stored-xss-via-svg-upload/stored-xss-account-takover.mp4)

### Disclosure Timeline
 - 10/10/2020: issue reported via ticket on developer's support form
 - 10/11/2020: developer responded discussing potential mitigations
 - 10/20/2020: developer released an update which did not address the issue
 - 10/26/2020: developer released an update which addressed the issue by only 
allowing a subset of tags and attributes in uploaded SVGs
 - 11/15/2020: full disclosure


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] SugarCRM v6.5.18 - (Contacts) Persistent Cross Site Web Vulnerability
Next by Date: [FD] Fancy Product Designer for WooCommerce - Unrestricted File Upload
Previous by thread: [FD] SugarCRM v6.5.18 - (Contacts) Persistent Cross Site Web Vulnerability
Next by thread: [FD] Fancy Product Designer for WooCommerce - Unrestricted File Upload
Index(es):
- Date
- Thread