Home » Archives for James Golovich

Author: James Golovich

Sprout Invoices < 9.4 Security Vulnerabilities

Sprout Invoices is a WordPress plugin for creating invoices from Sprout Apps. This is another low use plugin (1,000+ active installs on the free version as reported by the wordpress.org stats page). I believe that any issues related to an invoice/payment system need to be reported so people can get them updated before it hits them in the bank account.

Unauthenticated access to methods named init

Inside controllers/importers/Importer.php the class hooks into the ‘init’ WordPress action to provide access to various importer modules (ironically enough one of them is for the WP-Invoice package that I recently posted about). This setup allows an unauthenticated user to pass in the classname that is used to call the function ‘init’

I don’t know of any classes that come with a default WordPress install that are readily exploitable, but there could be other plugins/themes installed that could be easily exploited by being able to call their function by an arbitrary user.

sprout-importer

Unauthenticated uploading of CSV files

The CSV import module allows an unauthenticated user to upload CSV files, though it will not actually import without a valid nonce that does not appear to be leaked without having proper permissions. A malicious user could upload large files to attempt to fill up the storage space, though with the high limits available today it’s probably unlikely.

Unauthenticated access to unreleased JSON API

Dan Cameron, the developer, said that JSON API included was in development but abandoned in favor of the official WordPress REST API. Though in this release it was enabled and fully accessible to anyone without being logged in. At first glance it looks like there is some code to authenticate requests that contain ‘create-‘, but as long as that string is not included in $_REQUEST[‘si_json_api’] then it will pass along.

sprout-api

After the possible authentication function, php://input is read and passed to json_decode so any of the available API functions can be used which would allow you to create/view: clients, payments, estimates, and invoices.

Timeline

  • 1/15/2016 12:42am Initial contact form submitted
  • 1/15/2016 1:35pm Response from developer
  • 1/15/2016 5:01pm Full disclosure sent to developer
  • 1/18/2016 New version released

Beaver Builder Lite and Pro < 1.7.1 Security Issue

Beaver Builder is a popular WordPress plugin that allows drag & drop editing of pages. I’m a big fan of this plugin it allows users to make some pretty great sites without a lot of work. Any plugin I’m going to use I have to do at least some minimal reading of the code to search for security issues. I discovered a few issues here, though what I did discover requires a valid WordPress user account (not just admin) to use them.

The wordpress.org page for the lite version claims there are 50,000+ active installs, I could not find any indication of how many users of the pro version there are.

Unauthorized AJAX Calls

The Beaver Builder plugin creates it’s own AJAX handler that is hooked into the ‘wp’ WordPress action.

bb-ajax

This looks solid at first glance. It requires a user to be logged in and also checks that the current_user_can() edit this post. Unfortunately as seen below, FLBuilderModel::get_post_id() allows passing the ‘post_id’ via HTTP POST data (abstracted away behind the self::get_post_data() function). A user is able to pass in HTTP POST ‘post_id=0’ and the current_user_can() function call is never run.

bb-getpostid

After a nefarious user circumvents those checks they are able to call any of the 40+ actions that Beaver Builder includes. Which would allow them to create/edit pages, manage services, list all users.

Timeline

  • 1/19/2016 3:30pm Sent request for contact information
  • 1/19/2016 10:54pm Response received
  • 1/20/2016 12:02am Security disclosure sent
  • 1/24/2016 Updated version released

WP-Invoice < 4.1.1 Multiple Security Vulnerabilities

The WP-Invoice plugin from Usability Dynamics, Inc. contains several security vulnerabilities. The wordpress.org stats claim there are 5,000+ active installs, so this is not a highly used plugin but anything that is related to billing/invoices always puts me on edge. If you use this plugin I encourage you to update immediately.

I only evaluated the free version of this plugin and did not look at any of their paid add-ons for vulnerabilities. I discovered three issues that were accessible to unauthenticated users and one issue that required a valid WordPress account.

Unauthorized Setting Changes

Inside class_core.php the function admin_init() gets hooked to the ‘admin_init’ WordPress action which is called when the admin files are loaded, not just when an account with administrator access is used.

Inside this function it takes user input and without verification updates the sites settings. This merges in the existing settings so by passing individual settings only those can be updated. This allows changing settings like the emailed templates, paypal email address, and various other scary parts.

wpinvoice_admin_init

Retrieving invoices of arbitrary users

I’m not sure this is the most critical of the flaws, but it does allow release of sensitive data and the invoice numbers can be used in the next vulnerability.

Here we have AJAX actions registered for logged in and not logged in users.

wpinvoice_load_invoices

Upon first glance I thought this would allow only the current users invoices to be loaded.

wpinvoice_load_invoices1

Upon further examination if the user is logged in then their invoice will be loaded, but if the user is not logged in $_GET[‘wpi_user_id’] can be passed containing a WordPress numeric user_id.

wpinvoice_load_invoices2

Updating previously invoiced users meta data

Through the magic of unauthenticated AJAX the ‘wpi_gateway_process_payment’ actions can be called.

wpinvoice_process_payment

The wpi_gateway_base::process_payment() function takes user input in order to call the process_payment() function in various payment gateway handlers.

wpinvoice_process_payment1

In this case the ‘wpi_paypal’, ‘wpi_interkassa’, and ‘wpi_twocheckout’ all allow this to happen. Below I’ll only show the ‘wpi_paypal’ variation. This allows various type of the users meta data to be updated and if their CRM plugin is installed any of the attributes that are used in there can be updated.

wpinvoice_process_payment2

Privilege escalation of logged in users

Through the ‘wpi_update_user_option’ AJAX action, a logged in user can pass arbitrary ‘meta_key’ and ‘meta_value’ that gets updated for their account. Many of these options are accessible to the user via their profile, but typically a user should not be able to modify their ‘wp_capabilities’ or other potentially dangerous fields.

wpinvoice_update_option

Timeline

  • 1/15/2016 11:28am Initial contact email sent
  • 1/18/2016 3:14am Contact information received
  • 1/19/2016 11:58am Full disclosure email sent
  • 1/29/2016 6:23am Vendor responded saying issues were resolved in latest release