Exploit the possiblities

WordPress iMember360is 3.9.001 XSS / Disclosure / Code Execution

WordPress iMember360is 3.9.001 XSS / Disclosure / Code Execution
Posted Apr 25, 2014
Authored by Everett Griffiths

WordPress iMember360is plugin versions 3.8.012 through 3.9.001 suffers from arbitrary code execution, database credential disclosure, arbitrary user deletion, and cross site scripting vulnerabilities.

tags | exploit, arbitrary, vulnerability, code execution, xss, info disclosure
MD5 | d359e63a8e1d080f3473c5684422d0e0

WordPress iMember360is 3.9.001 XSS / Disclosure / Code Execution

Change Mirror Download
------------
BACKGROUND
------------
"iMember360is a WordPress plugin that will turn a normal WordPress site
into a full featured membership site. It includes all the protection
controls you can imagine, yet driven by Infusionsoft's second-to-none CRM
and e-commerce engine."
-- http://imember360.com/

This plugin is hailed by some as being one of the power tools of the "big
boys" of internet marketing, and according to the author it is installed on
some 5,000 sites worldwide.

Unfortunately, the author is openly hostile at the suggestion that there
are problems with his code: attempts to alert him to the problems with the
plugin resulted in a flurry of insults, accusations, and nasty-grams to me
and others working on the project. He accused me of telling "blatant lies"
and fabricating screenshots of the vulnerabilities (!!!). So here we are
in the disclosure list. Developers would do well to error on the side of
humility here and remember that the only acceptable response to a bug
report you disagree with is "cannot reproduce," and it my sincere hope that
the author gets therapy, a security audit, or both: his customers deserve
more than the incompetence and aggression.

-------------------
VULNERABILITIES
-------------------

* Disclosure of database credentials
* XSS Vulnerabilities
* Arbitrary user deletion
* Arbitrary code execution


-----------------
AFFECTED VERSIONS
-----------------
v3.8.012 thru v3.9.001

-----------------------
PROOF OF CONCEPT
-----------------------

Dictionary based URL scanning of a site where the plugin is installed
revealed numerous $_GET parameters that triggered special functionality
that rarely seemed properly checked for permissions. The specific
vulnerabilities include:

DATABASE CREDENTIALS DISCLOSED

?i4w_dbinfo=

Prior to version 3.9.001, setting this parameter on a site where the plugin
is installed would trigger the full database credentials to be printed,
including database name, user, password, and encoding.

After version 3.9.001, this exploit requires that the user request an admin
URL (e.g. as a registered subscriber).

XSS VULNERABILITIES

?decrypt=<any XSS code here>
?encrypt=<any XSS code here>

If set, both of these parameters will simply print what follows verbatim
onto the page and exit: nothing else is printed. A phishing attack is
quite simple here because the attackers do not have to camouflage anything:
the remote Javascript file can simply generate the *entire* page. Just a
reminder that some hosts filter the $_GET parameters (e.g. escaping quotes)
and not all browsers interpret malformed tags correctly, but this these
parameters are vulnerable to XSS attacks. On some setups with caching,
this may result in a persistent XSS attack when subsequent page views serve
up the compromised page.


DELETE ARBITRARY USERS

?i4w_clearuser=&Email=<user_login_name>

If these 2 parameters are defined, the named user will be *deleted* from
the Wordpress database (with one catch). The i4w_clearuser parameter must
match the API key used by the plugin, but if the plugin has not yet had the
license activated, then the API key is null, so the attack succeeds.
Wordpress login names are printed in comments or can be guessed (e.g. the
ubiquitous "admin").


ARBITRARY CODE EXECUTION

?i4w_trace=; <put any code here> #

The i4w_trace parameter passes unescaped values to the system shell when
the page is being requested by an admin (the user must be authenticated as
an administrator for this to work). Put any code you want in between the
";" and the "#". This makes for a dangerous phishing attack if you can
convince an admin to click on a prepared link.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    13 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close