The SiteLock Research Team will have many firsts as it develops. This week we’ll discuss the first reported and patched vulnerability the team found, a minor cross-site scripting vulnerability in Testimonial Slider.
The team has been working on putting together a new vulnerability research process. During the creation of this process, we tested a not-so-randomly chosen WordPress plugin, Testimonial Slider. We chose Testimonial Slider for no other reason than it was a slider plugin, after the recent Revolution Slider exploit.
What Does Testimonial Slider Do?
Testimonial Slider, developed by SliderVilla.com, displays customer testimonials in a responsive slider and has over 10,000 installs. We analyzed version 1.2.1 using SiteLock TrueCode and manual analysis.
The vulnerability was an authenticated, reflective cross-site scripting, or XSS, vuln. If you haven’t heard of XSS before, it is a vulnerability in a website or web application code, that allows bad actors to inject their own code into a web page. TrueCode pointed us to the possible vulnerability in Testimonial Slider’s settings.php file, specifically line 203, where an instance of a variable named $curr is located. In the image below, you can see that this variable is echoed out in the page’s source code.
Tracking Down The Vulnerability
We backed through the code to find where $curr was set, which was in lines 195 and 196. It was set to ‘Default’ if another variable, $cntr, was empty. If the $cntr variable had been given a value, $curr is assigned the value of $cntr.
The payoff came in lines 91 and 92 of the code, where the value of the $cntr variable was assigned:
if (isset($_GET['scounter']))$cntr = $_GET['scounter'];
The value of a $_GET variable is passed through the page URL. Whatever the value of $_GET[‘scounter’] was set to, its value was assigned to $cntr and subsequently $curr, where the reflective XSS vulnerability was.
Proof Of Concept
Quick Turnaround By Slidervilla
We reported the vulnerability to the developer and it was fixed within 10 days:
- 19 Oct 2015 – Notified developer, http://slidervilla.freshdesk.com/helpdesk/tickets/568
- 20 Oct 2015 – Developer responded, ‘We will fix this issue on priority and release an update soon.’
- 30 Oct 2015 – Developer released version 1.2.2, ‘Fix – Input validation of s-counter on admin panel’
To fix the vulnerability, the developer added code which set $cntr to the intval of $cntr, which returns 0 if strings are passed.
We would like to thank SliderVilla.com for their responsiveness. As the Research Team grows and processes are developed, the team will have more time to analyze more WordPress plugins and eventually include plugins for other content management systems.
The code analysis tool that the SiteLock Research team used to help uncover the vulnerability was TrueCode Static Application Security Testing. Visit our website or call 855-378-6200 to talk with a website security consultant about putting together a custom package containing TrueCode SAST.