Lucene search

Lana CodesWPEX-ID:2BBFC855-6901-462F-8A93-120D7FB5D268

HistoryAug 09, 2022 - 12:00 a.m.

Simple Single Sign On <= 4.1.0 - Authentication Bypass

2022-08-0900:00:00

Lana Codes

126

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

JSON

The plugin leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.

When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in.

The button invokes the following URL:
https://lana.solutions/vdb/oauth-client/?auth=sso

The client plugin redirects us to the following URL:
https://lana.solutions/vdb/oauth-server/?oauth=authorize&response_type=code&client_id=A7h8AfabvPH462WLGbcD6Ljb8IOE2tR9uDJva2TW&client_secret=ufMq5A63dGKOxW335SXyQKCNcumxZ2ZILnFk1Mil&redirect_uri=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client%2F%3Fauth%3Dsso&state=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client

The URL contains the "client_secret" code that can be used to request an access token with client credentials grant type authentication.

Exploit script: https://gist.github.com/lana-codes/7659650c13b38b66b43748809b0c3269

References

lana.codes/lanavdb/0bab7575-45fc-432d-945e-6100c35c574c/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

JSON

Related for WPEX-ID:2BBFC855-6901-462F-8A93-120D7FB5D268