Web Flaws and Vulnerabilities

WPS Limit Login v1.4.5 Multiple Vulnerabilities

Blog Web Flaws and Vulnerabilities WPS Limit Login v1.4.5 Multiple Vulnerabilities
0 comments

WPS Limit Login is edited by WP Serveur, WordPress french host. Criticity level for this update is medium.

Protection ByPass

File : /classes/plugin.php

Method : get_address()

Issue : This method will read the variable HTTP_X_FORWARDED_FOR which is, like its name says, a cross data with the browser (HTTP X (X = Cross)). It’s enough to change the header X-Forwarded-For for each request to always be the first attempt, so the plugin can’t block you. It’s now easy to create an automated brute force on the password if you don’t have a protection like SecuPress.

Stored XSS in admin area #1

File : /blocks/log.php

Line : 69

…<?php echo $user_info['ip']; ?>…

File : /classes/plugin.php

Line : 1396

echo '<p>' . date_i18n( 'd/m/Y H:i:s', $date ) . ' - ' . $user_info['ip']…

Issue : There is no escaping, no sanitization, either on input neither output. It displays what the visitor says what its IP is. Like we said earlier, the value of HTTP_X_FORWARDED_FOR is a free one from the browser and you can fake it. It’s possible to inject text, script in the admin area, using the preinstalled jQuery on any page.

Stored XSS in admin area #2 & #3

File : /blocks/whitelist.php

Lines 2-3 & 20 :

$wps_limit_login_white_list_ips = $this->get_option( 'wps_qlimit_login_whitelist' );
$wps_limit_login_white_list_ips = ( is_array( $wps_limit_login_white_list_ips ) && ! empty( $wps_limit_login_white_list_ips ) ) ? implode( "\n", $wps_limit_login_white_list_ips ) : '';

…

<?php echo $wps_limit_login_white_list_ips; ?>

Issue : No sanitization and no control of the input and output.

So it’s possible to do this:

in the textarea</textarea> out of the textarea <input…>

This will be printed out of the textarea, my test and my INPUT field, we can of course do worse.

CSRF

File : /classes/plugin.php

Line : 1450

Issue : There is a lack of nonce token. I can send this link to an admin or include it in a hidden page, this will trigger:

https://example.com/wp-admin/admin-ajax.php?action=wpslimitlogin_rated

Nothing so bad here, but if we base our future devs on that kind of code, it will become a problem. Better handle this now.

These vulnerabilities have been patched in the v1.4.6.1

0 comments