CVE-2019-19306: ZOHO CRM Lead Magnet version 1.6.9.1 · Issue #16 · cybersecurityworks/Disclosed

Details

ZOHO CRM Lead Magnet version 1.6.9.1
Bug Name: Reflected Cross Site Scripting (XSS) in WordPress Plugin
Product: ZOHO CRM Lead Magnet version 1.6.9.1
Version: 1.6.9.1
Last Updated: 14-10-2019
Homepage: http://localhost/wordpress/
Severity: High
Status: Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: http://localhost/wordpress/wp-admin/admin.php?page=create-leadform-builder&__module=ManageShortcodes&__action=zcfCrmManageFieldsLists&onAction=onCreate&crmtype=crmformswpbuilder&module=Leads&EditShortcode=58H3N&LayoutName=Standard&formName=Unititled
Vulnerable Variable: Module & EditShortcode & LayoutName

Description:

A cross site scripting (XSS) attack can cause arbitrary code (java script) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executing when the user loads an create lead form page created in Zoho CRM Lead Magnet Version 1.6.9.1

Proof of concept: (POC)

Issue 1:

By exploiting a Cross-site scripting vulnerability an attacker easily gain access to user’s session by stealing cookies and also exploit the user browser.

1. Login to the application

2. Install Zoho CRM Lead Magnet Plugin

Figure 01: Zoho CRM Lead Magnet

3. Configure the client id and secret key

Figure 02: client key and secret id are filled in Authenticating Zoho CRM Plugin

4. Click on Create New Form button and fill the values and click on Next button

Figure 03: new form in Zoho CRM Plugin

5. Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.

Figure 04: Request with XSS payload sent to the server

Figure 05: Request and response captured in the proxy

6. Injected XSS payload is successfully executed when the user visits or reloads the page

Figure 06: The JavaScript is successfully executed in the victim browser context

Figure 07: The WordPress application running on version 5.2.3

Figure 08: The WordPress Zoho CRM Lead Magnet plugin Version: 1.6.9.1

Figure 09: The default cross-site scripting mitigation setting in wp.config file to prevent cross site scripting attacks.

Reproducing Steps

1. Logon into WordPress application in localhost
2. Access the vulnerable GET Request URL with XSS payload inserted into the vulnerable variable.
3. XSS will get executed in the user machine once the user clicks on the given vulnerable link.

Timeline

2019-10-13 – Discovered in WordPress( Zoho CRM Lead Magnet Plugin ) Product
2019-10-14 – Reported to [email protected]
2019-10-15 – Received instant response from WordPress plugin team.
2019-10-15 – Issue acknowledged and fixed immediately.
2019-10-16 – Came up with a write up here.

Discovered by:
Saran Baskar from Cyber Security Works Research Lab