All in One SEO Pack - Robots.txt Feature [Reflected XSS]
Description
Plugin All in One SEO Pack provides the feature for Robots.txt which allows the user to update and/or optimize the robots.txt file of the website. An attacker could trick the website admin to submit a form in order to perform a Reflected XSS attack.
Crafting a malicious POST request the attacker can pass arbitrary values
to param $_POST['aiosp_robots_generator_robotgen']. If another parm,
the $_POST['Submit_Optimize'] is set, then the former will be printed
without escaping thus allowing the injection of JS code.
The problem seems to occur because the lack of user input sanitization and not proper escaping of user supplied input prior printing them on screen.
For this attack to work the feature Robots.txt must be enabled and the
user that submits the request must have the aiosp_manage_seo
capability (typically administrators do).
PoC
<form action="http://sbwp4.dev/wp-admin/admin.php?page=aiosp_robots_generator" method="post">
<input type="hidden" name="Submit_Optimize" value="1" />
<input type="hidden" name="aiosp_robots_generator_robotgen" value="<script>alert(/XSS/)</script>" />
<input type="submit" id="submit-btn" value="Click Me!" />
</form>
- 13 July 2016
- Pan Vag
- semperfiwebdesign.com
- All in One SEO Pack - Robots.txt Feature
- 2.3.8
- WordPress 4.5.2
- DWF-2016-87085