Disqus, the maker of the popular community commenting plugin, has patched a handful of security flaws, including a CSRF bug. The vulnerabilities are present in all versions of the plugin up to 2.75.
The most serious of the three vulnerabilities fixed in version 2.76 of the Disqus plugin is the CSRF flaw in the manage.php module. In order to exploit the vulnerability, an attacker could set up a malicious site with the exploit code on it and inject it into the user’s browser via the CSRF. CSRF flaws are quite common in web applications and plugins and have become a common attack vector.
“The parameters disqus_replace, disqus_public_key and disqus_secret_key are being passed to WordPress’s update_option function directly with no filtering. The documentation for update_option says that it will take any value passed to it and store it in the database. It is up to the plugin author to filter and validate variables here, since there are cases where you want to store HTML or other types of raw data,” Nik Cubrilovic, the researcher who discovered and reported the Disqus flaws, wrote.
“Further down in manage.php we can see that the options are read out of the database again using get_option. These variables are then printed back out on the page in the form, where they are filtered properly. They are only output there after being passed through the WordPress esc_attr function which will string replace HTML characters and escape them. But at the very bottom of the page there is a ‘debug’ feature that dumps all the settings into a textarea. This is used to troubleshoot the plugin, where Disqus support can ask a user to simply copy/paste what is in the textarea to find problems. In the debug area all of these variables are dumped out into the textarea with no filtering.”
Cubrilovic wrote an exploit that takes advantage of the vulnerability that’s posted on his site. He said that he had used the exploit in a live penetration test for a client by sending the link in a spearphishing email to an administrator.
The other two vulnerabilities that Cubrilovic discovered in Disqus are less serious than the CSRF bug. One of them could be used to reset or delete the options in the Disqus plugin and the other is a cross-site scripting vulnerability.
Disqus is a very popular plugin for WordPress that enables users to comment on posts across multiple sites with a common login.