prettyPhoto DOM based XSS on Saotn.org… This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?
PrettyPhoto is widely used in various WordPress themes and plugins. Olivier was very helpful in identifying the Cross Site Scripting (XSS) source, which gave me a nice starting point to search for a solution.
All document.cookie information is sent to www.evil-attacker.org/sendcookie.php when an admin user clicks such a link. Mark it up with some pretty HTML, to form something interesting and you’d be surprised…
The impact of this DOM XSS on WordPress is pretty much non existent. WordPress fortunately uses HttpOnly cookies. HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (Source: OWASP).
prettyPhoto is a jQuery lightbox clone. Not only does it support images, it also support for videos, flash, YouTube, iframes and ajax. It’s a full blown media lightbox.
It is very easy to setup, yet very flexible if you want to customize it a bit. Plus the script is compatible in every major browser, even IE6. It also comes with useful APIs so prettyPhoto can be launched from nearly anywhere (yes, that includes Flash)!
What is a DOM based XSS
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
This is in contrast to other XSS attacks (stored or reflected), wherein the attack payload is placed in the response page (due to a server side flaw).
WordPress cookies are insecure over unsecure Wi-Fi networks
Yan Zhu, a staff technologist at the Electronic Frontier Foundation, found that an attacker could hijack a WordPress users cookie, when the user is connected through an unsecure, public Wi-Fi network. For the wordpress_logged_in_ cookie, the parameter Secure isn’t set which causes the cookie being transmitted in plain text (not encrypted).
As stated above, WordPress is pretty secured against this particular Cross Site Scripting vulnerability. However, since prettyPhoto is easy to integrate in websites, all websites not having HttpOnly cookies might be vulnerable!
How to fix prettyPhoto DOM based XSS
You can fix the DOM based XSS in prettyPhoto by opening up jquery.prettyPhoto.js in your favorite editor. Scroll to line 876 and add the lines:
https://www.saotn.org/wp-content/uploads/2013/06/default-logo-saotn.nl_.png00Jan Reilinkhttps://www.saotn.org/wp-content/uploads/2013/06/default-logo-saotn.nl_.pngJan Reilink2014-05-04 19:54:512017-01-11 09:39:26prettyPhoto DOM based XSS