Web Flaws and Vulnerabilities

WPS Hide Login v1.5.2.2 Multiples Vulnerabilities

Blog Web Flaws and Vulnerabilities WPS Hide Login v1.5.2.2 Multiples Vulnerabilities
0 comments

WPS Limit Login is edited by WP Serveur, WordPress french host. Criticity level for this update is low.

Protection ByPass #1

File : /classes/plugins.php

Lines : 427 

if ( isset( $request['query'] ) && strpos( $request['query'], 'action=confirmaction' ) !== false ) {

    @require_once ABSPATH . 'wp-login.php';

}

Issue : If the URL contains “action=confirmaction” it’s enough to acces the login page. 

Demo : https://example.com/wp-login.php?SECUPRESSaction=confirmaction

Protection ByPass #2

File : /classes/plugins.php

Lines : 477-480

if ( is_admin() && ! is_user_logged_in() && ! defined( 'DOING_AJAX' ) && $pagenow !== 'admin-post.php' && ( isset( $_GET ) && empty( $_GET['adminhash'] ) && $request['path'] !== '/wp-admin/options.php' ) ) {

wp_safe_redirect( $this->new_redirect_url() );

die();

}

Issue : Reading the code, you can see that if the param “adminhash” is present in the l’URL, you’ll have the right to access the login page.

Demo : https://exemple.com/wp-admin/?adminhash=1 

Protection ByPass #3

File : /classes/plugin.php

Lines : 653-656

if ( ! empty( $_GET ) && isset( $_GET['action'] ) && 'rp' === $_GET['action'] && isset( $_GET['key'] ) && isset( $_GET['login'] ) ) {

wp_redirect( $this->new_login_url() );

exit();

}

Issue : This code is active if your have WooCommerce activated (+60% of WP e-commerce).

Demo : https://example.com?action=rp&key&login 

Protection ByPass #4

File : /classes/plugin.php

Lines : 563

if ( strpos( $url, 'wp-login.php' ) !== false ) {

Issue : Still we check the presence os a string in the URL (referer) to give the right to access to the login page.

Demo : You have to modify the header “Referer” and just add “wp-login.php”. Now send an empty POST request on”https://example.com/wp-login.php?action=postpass“.

The WordPress core will do this:

if ( ! array_key_exists( 'post_password', $_POST ) ) {

wp_safe_redirect( wp_get_referer() );

exit();

}

So, our referer will be read, then pass through our hook and since “wp-login.php” is present, we will be redirected on the login page.

Default Parameter Usage

File : /classes/plugin.php

Issue : If a default value is used, we know that the default is “login”, so if I can’t access to your login page, I’ll try “/login” first. Also, /login is already a shortcut in WordPress, so it’s not really changed, bots already know that one.

Full Path Disclosure

File : /classes/plugin.php

Lines : 498

&& ( $result = wpmu_activate_signup( $referer['key'] ) )

Issue : If we trigger the hook “wps_hide_login_signup_enable” with the correct URL we will get a Fatal Error because the function wpmu_activate_signup() is not declared yet, there is a lack of file inclusion. The displayed error discloses the path information.

These vulnerabilities has been patched in v1.5.3

0 comments