Like Button Rating < 2.6.32 - Unauthenticated Full-Read SSRF

The LikeBtn WordPress plugin was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF). On line 7493 in likebtn_like_button.php a hook is set to allow unauthenticated ajax calls which will call the function likebtn_prx(). As the name suggests, this function works as a proxy and can be used to make the server issue a request to a user-specified URL as long as the host is likebtn.com. The URL to request must be specified in the GET parameter likebtn_q as a Base64 encoded value. To ensure that the host is likebtn.com the following host-check is performed: if (!strstr(parse_url($url, PHP_URL_HOST), ‘likebtn.com’)) { $response[‘err’] = ‘Wrong prx address’; } else { … } As you might notice, this host-check fails rather miserably. As long as the string “likebtn.com” appears somewhere in the host, the URL is accepted. This means that eg. the following would be accepted: likebtn.com.attackerwebsite.bla A GET request is then sent to the specified URL by using WP_Http::request. Since redirects are followed, an attacker can easily make the server request whatever they want. Finally, the response is dumped using echo as seen on lines 7400-7409.