21 Sep

Vulnerability Details: PHP Object Injection Vulnerability in Invite Anyone

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

Since June we have been doing proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. So ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

22 Mar

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Invite Anyone

At the beginning of the year we took a couple of actions to improve our inclusion of vulnerabilities where there has not been a report on the vulnerability released by the discoverer so that we could expand the number of vulnerabilities we include in our dataset. First, we expanded our monitoring of changes made to plugins to spot more of those situations. Second, we started releasing posts with the details of those vulnerabilities, which allows us to provide more information on the vulnerabilities to our customers than we otherwise could. That has also led to us spotting additional vulnerabilities in those plugins, just as we have when reviewing reports for other vulnerabilities.

While putting together a post on a vulnerability that had existed in the plugin Invite Anyone we then spotted another vulnerability, which in part involved a lack of protection against cross-site request forgery (CSRF). After noticing that we did some more checking and found that there was also CSRF vulnerability when saving the plugin’s settings page, which could be used to cause cross-site scripting (XSS) due to a lack of sanitation when doing that. We notified the developer of those issues and they quickly got back to us and have now released version 1.3.16, which resolves the vulnerability.

Prior to 1.3.16 the plugin’s setting pages included a nonce, which is used to prevent CSRF, but when the settings are saved there was no check to make sure a valid one was included. That occurred in the function invite_anyone_admin_panel in the files /admin/admin-panel.php.

In version 1.3.15 the code for saving starts running right after a check to see if a request to save the settings is sent:

36
37
if ( !empty( $_POST['invite-anyone-settings-submit'] ) ) {
	$options = invite_anyone_options();

In 1.3.16 the function check_admin_referer() is run to check if a valid nonce is included in the request before moving on:

36
37
38
39
if ( !empty( $_POST['invite-anyone-settings-submit'] ) ) {
	check_admin_referer( 'invite_anyone-options' );
 
	$options = invite_anyone_options();

Also as of 1.3.15 the function used to sanitize the settings when they were passed through the function register_setting() didn’t so any sanitization:

636
637
638
function invite_anyone_settings_check($input) {
	return $input;
}

In 1.3.16 that function includes relevant sanitization for each of the settings.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the Send Invites Tab of a user BuddyPress Profile page, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=invite-anyone" method="POST">
<input type="hidden" name="invite_anyone[default_invitation_subject]" value="<script>alert(document.cookie);</script>">
<input type="submit" name="invite-anyone-settings-submit" value="Save Changes" />
</form>
</body>
</html>

Timeline

  • March 20, 2017 – Developer notified.
  • March 20, 2017 – Developer responds.
  • March 22, 2017 – Version 1.3.16 released, which fixes vulnerability.
22 Mar

Improper Access Control Vulnerability in Invite Anyone

At the beginning of the year we took a couple of actions to improve our inclusion of vulnerabilities where there has not been a report on the vulnerability released by the discoverer so that we could expand the number of vulnerabilities we include in our dataset. First, we expanded our monitoring of changes made to plugins to spot more of those situations. Second, we started releasing posts with the details of those vulnerabilities, which allows us to provide more information on the vulnerabilities to our customers than we otherwise could. That has also led to us spotting additional vulnerabilities in those plugins, just as we have when reviewing reports for other vulnerabilities.

While putting together a post on a vulnerability that had existed in the plugin Invite Anyone we noticed another related vulnerability. The original vulnerability involved a lack of enforcement of an admin set restriction on users setting the subject and message of invite email sent through the plugin. While looking into the details of that vulnerability we noticed that the plugin also didn’t enforce access control restrictions that can be set for sending invite emails through the plugin. While the relevant page for sending emails was not shown to user that should not be able to send them, a user could still send a request to cause those emails to be sent. The sending of emails also lacked protection against cross-site request forgery (CSRF), which would have had the impact of stopping those requests as well.  We notified the developer of those issues and they quickly got back to us and they have now released version 1.3.16, which resolves the vulnerabilities.

The vulnerabilities were fixed by adding the following code to the function invite_anyone_catch_send() in the file /by-email/by-email.php:

423
424
425
426
427
428
429
if ( ! invite_anyone_access_test() ) {
	return;
}
 
if ( ! isset( $_POST['ia-send-by-email-nonce'] ) || ! wp_verify_nonce( wp_unslash( $_POST['ia-send-by-email-nonce'] ), 'invite_anyone_send_by_email' ) ) {
	return;
}

The function invite_anyone_access_test() checks if the user is permitted to send invite emails and the second part of that checks if a valid nonce has been included with the request to send the invite emails (the nonce has been added to the relevant form elsewhere in the code) to prevent CSRF. If either of those checks fail the functions exits and the invite emails are not sent.

Proof of Concept

On the page /wp-admin/admin.php?page=invite-anyone&subpage=access-control set it so that only Administrator-level users are allowed to send invite emails. Then when logged in as a lower level user submit the proof of concept below and the invite email will be sent.

Make sure to replace “[path to WordPress]” with the location of WordPress, “[username] with the username of the user making the request, and “[email address]” with the email address to send the email invite to.

<html>
<body>
<form action="http://[path to WordPress]/members/[username]/invite-anyone/sent-invites/send/" method="POST">
<input type="hidden" name="invite_anyone_email_addresses" value="[email address]">
<input type="hidden" name="invite_anyone_custom_subject" value="An invitation to join the test community.">
<input type="hidden" name="invite_anyone_custom_message" value="You have been invited by test to join the test community.
Visit test's profile at http://localhost/members/test/.">
<input type="hidden" name="invite-anyone-submit" value="Send Invites ">
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • March 20, 2017 – Developer notified.
  • March 20, 2017 – Developer responds.
  • March 22, 2017 – Version 1.3.16 released, which fixes vulnerability.
21 Mar

Vulnerability Details: Authenticated Arbitrary Email Sending Vulnerability in Invite Anyone

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.