Document Title: =============== BulletProof Security Wordpress v50.8 - POST Inject Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1326 Release Date: ============= 2014-09-30 Vulnerability Laboratory ID (VL-ID): ==================================== 1326 Common Vulnerability Scoring System: ==================================== 3.2 Product & Service Introduction: =============================== The BulletProof Security Plugin allows you to create and activate .htaccess website security with one-click (figuratively) for your website without having to know anything about .htaccess files. The Master .htaccess files are pre-made and BPS writes .htaccess code that is customized to each specific website. There is nothing to figure out or to configure. Click the AutoMagic buttons (creates customized Master .htaccess files) and Activate BulletProof Modes (copies the customized Master .htaccess files to your root and wp-admin folders). BPS has built-in Backup and Restore and an .htaccess File Editor for full manual editing control as well. BPS Custom Code allows you to add additional custom .htaccess code or BPS Bonus Custom Code. - .htaccess Website Security Protection (Firewalls) - Login Security & Monitoring - DB Backup - DB Backup Logging - DB Table Prefix Changer - Security Logging - HTTP Error Logging - FrontEnd/BackEnd Maintenance Mode - UI Theme Skin Changer ( Copy of the Vendor Homepage: https://wordpress.org/plugins/bulletproof-security/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent POST inject web vulnerability in the official Bulletproof Security (BPS) v50.8 Wordpress Plugin. Vulnerability Disclosure Timeline: ================================== 2014-09-30: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== AIT-pro Product: BPS Wordpress Plugin - Web Application 50.8 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side POST inject web vulnerability has been discovered in the official Bulletproof Security (BPS) v50.8 Wordpress Plugin. The issue allows remote attackers to inject own malicious persistent script code to the application-side of the vulnerable module. The vulnerability is located in the bspURL value of the wp_remote_get POST method request in the system-info.php file. Remote attackers can form malicious pages to perform application-side executions via POST injection attack. The vulnerability is local and remote exploitable. During the testings the researcher discovered that the `Check Headers GET request` and `Check Headers HEAD request` are the vulnerable input fields. The execution after the inject occurs in the main system-info.php next to the `Check Website Headers Tool` web context. The security risk of the persistent POST inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction. Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] System Info > Check Website Headers Tool Vulnerable Input(s): [+] Check Headers GET request [+] Check Headers HEAD request Vulnerable Parameter(s): [+] bspURL (wp_remote_get) Affected Module(s): [+] System Information (system-info.php) Proof of Concept (PoC): ======================= The POST inject web vulnerability can be exploited by local attackers and by remote attackers without privileged application user account with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Exploit (system-info.php)


HEAD Request Headers: \"><\"%20%20>\"