18 Dec

Open Redirect Vulnerabilty in SagePay Server Gateway for WooCommerce

Recently Ricardo Sanchez disclosed a reflected cross-site scripting (XSS) vulnerability in the plugin SagePay Server Gateway for WooCommerce. When we went to test that out while adding the vulnerability to our data set, we noticed a strange result. The proof of concept URL was

/wp-content/plugins/sagepay-server-gateway-for woocommerce/includes/pages/redirect.php?page=</script>”><script>alert(“R1XS4.COM”)</script>

but after the reflected cross-site scripting happened the URL was changing to

/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/</script>

Looking at the code what we found was that the GET input “page” that is used in the reflected XSS vulnerability is also set as the URL that a form generated by the file /includes/pages/redirect.php is submitted to:

'<form name="form" action="'. urldecode($_GET["page"]) . '" method="POST" target="_top" >' .

That file also creates JavaScript function OnLoadEvent(), which submits the form:

'<script type="text/javascript"> function OnLoadEvent() { document.form.submit(); }</script>' .

That function runs when the page is loaded:

'<body OnLoad="OnLoadEvent();">' .

So you are automatically redirected to the location specified by the GET input, which is an open redirect vulnerability.

Due to this being a rather obvious issue if you look at the other vulnerability, we are disclosing this the same day we notified the developer of the issue.

Proof of Concept

The following proof of concept will redirect to the homepage of our website.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=https://www.pluginvulnerabilities.com

Timeline

  • December 18, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *