We have recently been increasing the amount of new vulnerabilities we include our data through better monitoring of changes made to plugins, so that in more cases where there hasn’t been a report released on the vulnerability we can still include the vulnerability. Combined with that we have increased the number of post we have put out detailing those vulnerabilities. Seeing as we often find that vulnerabilities have been only partially fixed or not fixed at all, that also is likely to mean we will find more vulnerabilities that haven’t been fixed, despite an attempt to do so.
That was the case when we looked in to a reflected cross-site scripting vulnerability in the plugin moreAds SE. First we noticed that the vulnerability had not been fixed, but then we noticed that there was another vulnerability in the same code.
Since there is no restriction placed on what the value can be (other than removing any double quotes), you could cause a request sent through this to redirect to any web address, which is an open redirect.
After we notified the developer of the issue they released version 1.4.9, which fixes the issue by requiring an additional unique value generated by the plugin to be provided with the requests that cause a redirect to happen:
<?php $current_url = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $is_valid = MASE_UrlSigning::verifySignedUrl($current_url, MASE::$URLSIGNING_KEY); $url = $is_valid ? $_GET['i'] : '/'; ?> window.top.location = "<?php echo esc_url($url); ?>";
Proof of Concept
The following proof of concept will cause you to come to our homepage.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin-ajax.php?action=mase_cst_redir&i=https://www.pluginvulnerabilities.com
- January 20, 2017: Notified developer.
- January 23, 2017: Version 1.4.9 released, which fixes vulnerability.