Last week's release of the WordPress 4.0.1 update offers a good lesson in vulnerability prioritization for security organizations -- namely that security professionals need to stop underestimating cross-site scripting (XSS) vulnerabilities.
The release notes issued by the WordPress team fixed a number of critical vulnerabilities, including a handful of serious XSS vulnerabilities. Alongside this release, an update of the WP-Statistics plug-in fixed another XSS bug found by Sucuri researchers that could be used to create new administrator accounts, insert SEO spam in blog posts, and perform actions within that site's admin panel. In addition to these flaws, the WordPress crew alluded in their notes last week to a severe XSS flaw in all WordPress versions before 4.0 that was found by the Finnish researcher Jouko Pynnonen. He offered further details about that flaw in the Full Disclosure mailing list last week.
Our PoC exploits first clean up traces of the injected script from the database, then perform other administrative tasks such as changing the current user's password, adding a new administrator account, or using the plug-in editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator).
These operations happen in the background without the user seeing anything out of ordinary.
While XSS vulnerabilities and exploits have continued to flourish, many security teams have deprioritized these flaws over the last several years in favor of addressing what seems to be higher-severity SQL injection vulnerabilities. Experts say organizations should be wary of that tactic.
"SQL injection vulnerabilities are becoming more and more rare, as well as other high and critical risk vulnerabilities," Ilia Kolochenko, CEO of the consultancy High-Tech Bridge, says in a blog post. "At the same time almost nobody cares about 'medium-risk' XSS vulnerabilities leaving their websites vulnerable. Obviously, hackers benefit from such negligence and use XSS vulnerabilities to achieve their goals. If you close your door, don't forget to close your windows -- otherwise the entire security is at risk."
A report his firm released last week shows that the architecture of more than 70% of web applications allows for well-crafted XSS exploits to perform an automated and layered attack that could ultimately give the attacker root as a result. Meanwhile, 95% of today's XSS vulnerabilities can be used to perform drive-by-download attacks to exploit even the most security-concious users visiting seemingly harmless URLs.
According to Johannes Ulrich, director of the SANS Internet Storm Center (ISC), as common as XSS vulnerabilities are, they're "often underestimated." It doesn't seem like XSS lets attackers directly tap into databases, the way SQL injection does or doesn't allow code execution on the server, he wrote recently in a SANS ISC blog post. But the truth is that it gives attackers the power to modify HTML on a site, which can ultimately take them down a path of ultimate compromise.
"With that, the attacker can easily modify form tags," he wrote, "or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening."