------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in 404 to 301 WordPress Plugin
------------------------------------------------------------------------
Alyssa Milburn <amilburn.at.zall.org>, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the 404 to 301
WordPress Plugin. This issue can be exploited by an anonymous user and
allows an attacker to perform a wide variety of actions, such as
stealing users' session tokens, or performing arbitrary actions on their
behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160719-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on 404 to 301 [2] WordPress Plugin
version 2.2.8.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in 404 to 301 [3] WordPress Plugin version 2.3.1.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The 404 to 301 [2] WordPress Plugin automatically redirects, logs and
notifies all 404 page errors to any page using 301 redirect for SEO. A
Stored Cross-Site Scripting vulnerability exists in the 404-to-301
WordPress plugin.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in the file admin/class-404-to-301-logs.php,
which fails to correctly escape user-controlled strings which are output
in HTML tables containing logs shown to site administrators, such as the
Referer (ref) and User-Agent (ua) fields.

In order to exploit this issue, after an attack attempt has been made,
an administrator must view the logs (via the WordPress administration
console) provided by the plugin, by clicking '404 Error Logs'.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
Submit an HTTP request to a non-existent URL (to trigger the 404
handler) containing a header such as one of the following:

Referer: "<iframe src=/></iframe>
User-Agent: "<script>alert(/hi/);</script>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_404_to_301_wordpress_plugin.html
[2] https://wordpress.org/plugins/404-to-301/
[3] https://downloads.wordpress.org/plugin/404-to-301.2.3.1.zip