18 Dec 2017

Open Redirect Vulnerabilty in SagePay Server Gateway for WooCommerce

Recently Ricardo Sanchez disclosed a reflected cross-site scripting (XSS) vulnerability in the plugin SagePay Server Gateway for WooCommerce. When we went to test that out while adding the vulnerability to our data set, we noticed a strange result. The proof of concept URL was

/wp-content/plugins/sagepay-server-gateway-for woocommerce/includes/pages/redirect.php?page=</script>”><script>alert(“R1XS4.COM”)</script>

but after the reflected cross-site scripting happened the URL was changing to

/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/</script>

Looking at the code what we found was that the GET input “page” that is used in the reflected XSS vulnerability is also set as the URL that a form generated by the file /includes/pages/redirect.php is submitted to:

'<form name="form" action="'. urldecode($_GET["page"]) . '" method="POST" target="_top" >' .

That file also creates JavaScript function OnLoadEvent(), which submits the form:

'<script type="text/javascript"> function OnLoadEvent() { document.form.submit(); }</script>' .

That function runs when the page is loaded:

'<body OnLoad="OnLoadEvent();">' .

So you are automatically redirected to the location specified by the GET input, which is an open redirect vulnerability.

Due to this being a rather obvious issue if you look at the other vulnerability, we are disclosing this the same day we notified the developer of the issue.

Proof of Concept

The following proof of concept will redirect to the homepage of our website.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=https://www.pluginvulnerabilities.com

Timeline

  • December 18, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.