Professional Documents
Culture Documents
CVE: 2011-0759
Published: March 17, 2011
Discovered by: Gabriel Quadros, Conviso Labs
Introduction
About Conviso
Conviso is a consulting company specialized on application security. Our values are based on the allocation
of the adequate competencies on the field, a clear and direct speech with the market, collaboration and
partnership with our customers and business partners and constant investments on methodology and
research improvement.
This advisory has been discovered as part of a general investigation into the security of software used in the
IT environments of our customers. For more information about our company and services provided, please
check our website at www.conviso.com.br.
The vulnerability described in this security advisory was discovered by Gabriel Quadros on December 22nd
2010 during a internal security research.
Recaptcha Word Press Plugin Cross Site Scripting Vulnerability | CVE 2011-0759! 1
Conviso Labs | Security Advisory
Security Advisory
Issue Description
The WordPress Recaptcha Plugin integrates reCAPTCHA antispam methods with WordPress including
comment, registration, and email spam protection and is available at http://wordpress.org/extend/
plugins/wp-recaptcha/.
This advisory describes multiple Stored Cross Site Scripting (XSS) vulnerabilities and one Cross Site
Request Forgery (CSRF) vulnerability on the plugin. As a result, an attacker can gain elevated access
privileges to sensitive page content, session cookies, and a variety of other information maintained by the
browser on behalf of the WordPress administrator user. Furthermore, the attacker can perform actions
administrative privileges.
Affected Components
This problem was confirmed in the latest version of the plugin - WP-reCAPTCHA 2.9.8.2, other versions
maybe also affected.
Recaptcha Word Press Plugin Cross Site Scripting Vulnerability | CVE 2011-0759! 2
Conviso Labs | Security Advisory
Details
The plugin's configuration page is vulnerable to Stored Cross Site Scripting. Several fields are received
through POST and included on the response page with inadequate sanitization. The vulnerable code is
shown bellow:
---
---
As a result, an attacker may insert HTML/JavaScript commands to be interpreted in the session of an
authenticated administrator and, as the plugin's configuration page is not protected against Cross Site
Request Forgery, the exploitation can be used to inject configuration values and change the reCAPTCHA
configuration, disabling CAPTCHA for comments and registration forms. Proof of concept exploitation
code is available to interested parties.
Issue Mitigation
The developer did not provided a patch or workaround. The solution for this issue should add code to
sanitize the values before including them using the htmlspecialchars() function or equivalent. Furthermore,
a mechanism to protect against the CSRF is needed to prevent an attacker from changing the plugin's
configuration.
Additional Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-0759 to this
issue.
Recaptcha Word Press Plugin Cross Site Scripting Vulnerability | CVE 2011-0759! 3