WordPress Flaws and Vulnerabilities

XSS and WPML Using Accept-Language Header

Blog WordPress Flaws and Vulnerabilities XSS and WPML Using Accept-Language Header
0 comments

WPML is a famous premium multilingual plugin for WordPress.

On 08/31/2015 the version 3.2.7 fix a XSS flaw already there since v2.9.3.

The file is ajax.php at plugin’s root, the code is:

case 'get_browser_language':
		$http_accept_language            = $_SERVER[ 'HTTP_ACCEPT_LANGUAGE' ];
		$accepted_languages              = explode( ';', $http_accept_language );
		$default_accepted_language       = $accepted_languages[ 0 ];
		$default_accepted_language_codes = explode( ',', $default_accepted_language );
		echo wpml_mb_strtolower( $default_accepted_language_codes[ 0 ] );
exit;

The plugin will read the Accept-Language header, cut it using ;, take the first element, cut it using ,, take the first element again and displays it lowercased.

The flaw is that there is no sanitization o the output, so it’s easy to modify a HTTP request header to insert JS code that will be executed, or even full PHP code that could be included later using a LFI (Local File Inclusion) flaw..

The version 3.2.7 fix the flaw adding sanitization on the ouput.

baw_150902-0115451

 

0 comments