Advisory ID: SYSS-2018-014 Product: PDF & Print Manufacturer: Bestwebsoft Affected Version: 2.0.2 Tested Version: 2.0.2 Vulnerability Type: Cross-Site-Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2018-08-24 Solution Date: 2018-09-13 Public Disclosure: 2018-09-28 CVE Reference: - Author of Advisory: Robin Trost, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: PDF & Print is a Wordpress Plugin which allows a user to generate a PDF file from the Blog post or print it. The manufacturer describes the product as follows (see [1]): "With this plugin you can create PDF files and print pages quickly. Add PDF & print buttons to WordPress website pages, posts, and widgets. Generate documents with custom styles and useful data for archiving, sharing, or saving." Due to improper encoding the plugin is vulnerable to reflected cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The called URL gets reflected in the tag for the "View PDF" and "Print Content" Buttons. Because the GET-parameter names did not get encoded it is possible to execute JavaScript trough the URL. The value of the GET-parameter is encoded correctly, but the name of the GET-parameter is not encoded which leads to the Cross-Site-Scripting. This vulnerability affects all Blog Posts or Wordpress Sites where the "View PDF" or "Print Content" Button is displayed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): GET /index.php/2018/07/25/hello-world/?param1=10"><&10"> tag from the URI Path being embedded in the response in two places so that a browser will execute the JavaScript code. [...]
image_pdf image_print
[...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 2.0.3 of PDF & Print More Information: https://bestwebsoft.com/products/wordpress/plugins/pdf-print/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-07-25: Vulnerability discovered 2018-08-24: Vulnerability reported to manufacturer 2018-09-13: Patch released by manufacturer 2018-10-28: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for PDF & Print https://bestwebsoft.com/products/wordpress/plugins/pdf-print/ [2] SySS Security Advisory SYSS-2018-014 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/ SYSS-2018-014.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Robin Trost of SySS GmbH. E-Mail: robin.trost at syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/ Robin_Trost.asc Key ID: 0x698E6EB3 Key Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en