Newsletter 3.6.9, Open Redirect
The Newsletter plugin is susceptible to an Open Redirect vulnerability. This issue is due to the fact user input it taken, and trusted, without validation. This user input is used when tracking link clicks, via the ‘newsletter/statistics/link.php’ script. User input is Base64 encoded, and split on the ‘;’ character, the third column of which can be manipulated in order to control where the user is redirected to.
Sanitize user input – ensure provided URLs are valid, or do not allow user input of URLs at all.
Proof of Concept
The following script will generate a URL, which when visited will cause the user to be redirected to the site ‘http://evilsite.com’.
import base64 target_url = "http://evilsite.com" target_blog = "http://localhost" payload = base64.b64encode("0;0;%s;0"%target_url) print "%s/wp-content/plugins/newsletter/statistics/link.php?r=%s"%(target_blog,payload)
- 2015-03-16: Discovered
- 2015-03-16: Vendor notified
- 2015-03-17: Version 3.7.0 released – issue still present
- 2015-03-30: No reply from vendor – advisory released