Blog: Vulnerability Advisory

DOM XSS in iThemes Security Pro

David Lodge 05 Apr 2016

Reference PTP-2016-004

1. Description

A DOM XSS was found in iThemes’s Security Pro which could potentially allow custom JavaScript to be executed in the context of the current page.

One file, ithemes-security-pro/core/js/admin-dashboard.js, uses the JavaScript variable document.location to form part of an HTML page:

jQuery( ‘#screen-meta-links’ ).append(

‘<div id=”itsec-meta-link-wrap” class=”hide-if-no-js screen-meta-toggle”>’ +

‘<a href=”‘ + document.location + ‘&show_admin_modal=true” class=”show-settings”>’ + itsec_dashboard.text + ‘</a>’ +

‘</div>’

);

If document.location is taken in a string context then it returns the full URL, including all GET parameters and fragments. So if an attacker could get a user to visit a custom URL through either social engineering or use of a CSRF attack, then it could cause custom JavaScript to be run on the resultant page.

It should be noted that the URL would have to be passed in a “raw” state without URL encoding.

It would be hard to find a vector to exploit this, as, from the context of the script it should be a backend security dashboard, meaning that it has a limited exposure.

2. CVSS Score

As the code is behind a backend system, and not obviously accessible then other vectors such as CSRF may be needed to exploit this.

The CVSSv2 base score is 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

The CVSSv3 base score is 3.3 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N)

3. Resolution

The iThemes Security team have been very responsive to the vulnerability alert and have issued a patch that validates this string.

Ensure that any installations of iThemes Security Pro have been updated to after release 2.29 for the pro version and 5.3.5 for the free version (29th March 2016)

4. Vulnerability Timeline

20/03/2016 Vulnerability discovery

21/03/2016 iThemes security team notified

29/03/2016 Patch released

01/04/2016 Advisory released