Open Redirect Vulnerabilty in SagePay Server Gateway for WooCommerce
Recently Ricardo Sanchez disclosed a reflected cross-site scripting (XSS) vulnerability in the plugin SagePay Server Gateway for WooCommerce. When we went to test that out while adding the vulnerability to our data set, we noticed a strange result. The proof of concept URL was
/wp-content/plugins/sagepay-server-gateway-for woocommerce/includes/pages/redirect.php?page=</script>”><script>alert(“R1XS4.COM”)</script>
but after the reflected cross-site scripting happened the URL was changing to
/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/</script>
Looking at the code what we found was that the GET input “page” that is used in the reflected XSS vulnerability is also set as the URL that a form generated by the file /includes/pages/redirect.php is submitted to:
'<form name="form" action="'. urldecode($_GET["page"]) . '" method="POST" target="_top" >' .
That file also creates JavaScript function OnLoadEvent(), which submits the form:
'<script type="text/javascript"> function OnLoadEvent() { document.form.submit(); }</script>' .
That function runs when the page is loaded:
'<body OnLoad="OnLoadEvent();">' .
So you are automatically redirected to the location specified by the GET input, which is an open redirect vulnerability.
Due to this being a rather obvious issue if you look at the other vulnerability, we are disclosing this the same day we notified the developer of the issue.
Proof of Concept
The following proof of concept will redirect to the homepage of our website.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=https://www.pluginvulnerabilities.com
Timeline
- December 18, 2017 – Developer notified.