20 Jan, 2020

Unauthenticated Stored XSS Exploitation in Appointment Booking Calendar

A zero-day exploit takes advantage of a vulnerability that has just been discovered. A few such vulnerabilities are deadly weaknesses, but others just make the attacker's job easier.
CodePeople's WordPress plugin, Appointment Booking Calendar, is popular with websites that want to let visitors schedule time slots. If you use it, though, make sure you've updated it to a recent version. A serious bug turned up in July of 2019, letting intruders easily alter a site's contents. This isn't just hypothetical; attackers starting exploiting the bug before the public knew about it.

The fix is an easy one. Update the plugin to the latest version. If you don't update your WordPress plugins regularly, you could be open to all kinds of risks. Would-be intruders scan all the sites they can reach, looking for ones that have unpatched vulnerabilities. When they find one, they'll swoop in. Your users might be redirected to another site or see a pop-up with dubious and offensive advertising. Plugin maintenance is an essential part of security.
Appointment Booking Calendar Plugin
The plugin has over 4,000 active installations. It lets the site developer add a page that lists available time slots and lets visitors book them. For instance, an exercise facility could use it to let people request the use of the equipment on a certain date and time. A slot can have a capacity of more than one; if the place has enough equipment for six people to exercise at once, the administrator can set the capacity to six. People get confirmation emails for their appointments, and the calendar owner gets a notification.

The functionality is integrated with PayPal. If there is a charge at booking time, the calendar takes the user to a PayPal page to make the payment. Rather oddly, the ability to offer slots without payment is available only in the paid versions. There are three paid tiers with successively richer feature sets.
The Bug
Like many plugins, Appointment Booking Calendar includes administrative functionality to customize its service. The function, cpabc_appointments_save_edition(), changes settings and can insert a code fragment in the database which will appear on a calendar page.

Only administrators should have access to this functionality. Due to an oversight, the function didn't check for administrative authorization. In the old versions of the plugin, anyone can construct a POST request imitating a form submission and send it. The data could include arbitrary JavaScript or CSS.

Many vulnerability-tracking websites called attention to this bug. The ease with which it can be exploited makes it especially serious. If a calendar is accessible on a public page, anyone who is so inclined can exploit it with a minimum of technical knowledge. CodePeople officially disclosed the bug on July 7, 2019. The release which fixed the problem followed shortly afterward.
More Details
A POST request that mimics a form submission can exploit the vulnerability. Here is a harmless example:
<body onload="document.forms[0].submit();">
     <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
        <input type="hidden" name="CP_ABC_post_edition" value=""/>
        <input type="hidden" name="cfwpp_edit" value="js"/>
        <input type="hidden" name="editionarea" value="alert('Cross Site Scripting!')"/>
The value of cfwpp_edit can be set to "js" or "css" to cause mischief. The value isn't sanitized, so it's easy to go outside the bounds of JavaScript if that suits the attacker's purpose.
Cross-site scripting, or XSS, is a common vulnerability in the software. It can happen wherever an unauthorized party can add arbitrary content to a page. Some sites allow user-created content and have to scrutinize input to keep JavaScript out. Others, such as ones using the plugin discussed here, unintentionally let unauthorized parties add content. Sites that allow XSS because they fail to verify authorization keep turning up.

The most common type is non-persistent XSS. This vulnerability lets intruders insert JavaScript into pages on a one-time basis. It's usually triggered by a specially crafted URL. This technique affects users who enter the site through a malicious link. The vulnerability in Appointment Booking Calendar allows persistent XSS, which can affect all users who visit the site. Persistent XSS exploits can do wider damage.

Veracode has estimated that 40% of all Web applications have a cross-site scripting flaw. XSS regularly appears on the OWASP Top 10 list of vulnerabilities. Unlike most other vulnerability exploits, XSS targets the users rather than the server. Uncaught exploits can hurt a site's reputation.
The Effects of the XSS Exploit
Cross-site scripting has a wide variety of effects since attackers can inject any kind of JavaScript. Common vulnerability exploits include the following:

  • Capturing a copy of a user's session cookies. The perpetrator can try to use them to hijack the user's session.
  • Logging the user's keystrokes and mining them for personal data.
  • Capturing the contents of form fields, including passwords and credit card data.
  • Redirecting the user to a malicious site. In the present case, it could send the user to the intruder's PayPal account instead of the site owner's.
  • Inserting ads or vandalizing the site's content.
  • Preventing normal functionality, such as scheduling appointments, from working.

Criminals have exploited the vulnerability in the Appointment Booking Calendar and could have done any of these things. The attacks haven't stopped since many sites still have the old, vulnerable version of the plugin.
The changelog on the Appointment Booking Calendar website blandly offers "improved query security" as the note for version 1.3.19. There's no hint that it fixes a major security hole. Regardless, if you have a version of the plugin which is earlier than that, you need to update it immediately. You should also look into why your plugins aren't getting updated more often than once in six months. Neglecting updates leaves your site vulnerable to many attacks.

When you update, you should check your site for any signs of tampering. If it's been vulnerable for that long, the odds are high that it's been hacked. The surest remedy may be to remove the plugin and re-install it. That will give you a clean starting point to configure for your site.

The vulnerability exploits started before the issue was announced or fixed, so even the most zealous maintainers of their sites had a window of risk. Additional protections, such as the Quttera Web Application Firewall, are necessary to keep application bugs from turning into corrupted websites. A well-protected website uses multiple layers of protection and keeps its defenses up to date.