Nasty session stealing hole filled in WordPress All in One SEO plugin

WordPress has patched a hole in its popular All in One search engine optimisation plugin, a tool that’s been downloaded by some 30 million users and is used on a million sites.

Flaws exists in the Bot Blocker component which can be exploited to steal administrator tokens and conduct actions through cross-site scripting vulnerabilities.

Users must upgrade to version to guard against the flaw, which only manifests when users activate the tracked bot setting.

Dutch researcher David Vaartjes posted a proof-of-concept exploit detailing how to exploit exposed sites.

He says attackers can lace request headers with malicious Javascript that will be logged inside the tracked bot panel page, and then executed to nab an admin’s session token.

“A stored cross-site scripting vulnerability exists in the Bot Blocker functionality of the All in One SEO Pack WordPress plugin,” Vaartjes says.

“Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the admin dashboard by just visiting the public site with a malformed user agent or referrer header.

“If the ‘track blocked bots’ setting is [deliberately] enabled, blocked request are logged in that HTML page without proper sanitisation or output encoding, allowing XSS.”

Proof-of-concept XSS demo

WordPress sites are a favourite for attackers, because scores of exploits target the core CMS and many more attack the many third-party plugins that enhance its functionality. Plenty of admins patch neither the CMS or plugins, or patch the CMS and neglect plugins that patch on different cycles. Whatever the reason for patches being missed, WordPress often ends up used used often in command and control infrastructure to deliver exploit kits and various drive-by-downloads. ®

Global DDoS threat landscape report

Article source:

Related Posts