Disqus, the maker of the popular community commenting plugin, has patched a handful of security flaws, including a CSRF bug. The vulnerabilities are present in all versions of the plugin up to 2.75.

The most serious of the three vulnerabilities fixed in version 2.76 of the Disqus plugin is the CSRF flaw in the manage.php module. In order to exploit the vulnerability, an attacker could set up a malicious site with the exploit code on it and inject it into the user’s browser via the CSRF. CSRF flaws are quite common in web applications and plugins and have become a common attack vector.

“The parameters disqus_replace, disqus_public_key and disqus_secret_key are being passed to WordPress’s update_option function directly with no filtering. The documentation for update_option says that it will take any value passed to it and store it in the database. It is up to the plugin author to filter and validate variables here, since there are cases where you want to store HTML or other types of raw data,” Nik Cubrilovic, the researcher who discovered and reported the Disqus flaws, wrote.

“Further down in manage.php we can see that the options are read out of the database again using get_option. These variables are then printed back out on the page in the form, where they are filtered properly. They are only output there after being passed through the WordPress esc_attr function which will string replace HTML characters and escape them. But at the very bottom of the page there is a ‘debug’ feature that dumps all the settings into a textarea. This is used to troubleshoot the plugin, where Disqus support can ask a user to simply copy/paste what is in the textarea to find problems. In the debug area all of these variables are dumped out into the textarea with no filtering.”

Cubrilovic wrote an exploit that takes advantage of the vulnerability that’s posted on his site. He said that he had used the exploit in a live penetration test for a client by sending the link in a spearphishing email to an administrator.

The other two vulnerabilities that Cubrilovic discovered in Disqus are less serious than the CSRF bug. One of them could be used to reset or delete the options in the Disqus plugin and the other is a cross-site scripting vulnerability.

Disqus is a very popular plugin for WordPress that enables users to comment on posts across multiple sites with a common login.

Categories: Vulnerabilities, Web Security

Comment (1)

  1. rather-not-say

    > Disqus … enables users to comment on posts across
    > multiple sites with a common login.
    That’s a side effect. Disqus goes looking for any site where you (or anyone) used a specific email address, and gathers all those up no matter what login name you (or anyone else) had attached to that email address. I’m a fossil from the 300 baud modem era and for many years my family had one email address. We varied our login names when registering or signing — the name that the public’s supposed to see.
    Lo, when Disqus came along it pulled out postings going back to Usenet and early websites under that email — regardless of the login userID name — and put them all into one single profile. Made “that user” sound rather schizophrenic and rather confused about its age and sex and preferences by doing so.

    If you want to use Disqus, create a unique email address — not just a unique login name — for every site. But I suspect they’re using other methods to uniquely identify you, regardless.

    Remember, your information is the product Disqus is selling.


Comments are closed.