AddToAny Share Buttons <= 1.7.14 - Conditional Host Header Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Plugin description: "AddToAny is the universal sharing platform, and AddToAny’s plugin is the most popular share plugin for WordPress, making sites social media ready since 2006."
Active installs (according to https://wordpress.org/plugins/add-to-any/): 400,000+ (checked on 15. Aug 2017)

It's possible to inject a custom Host-Header, that will be used for building the link, which is going to be shared on Social Media platforms when users click the buttons. Combined with a web cache poisoning, every user would share the malicious website.



README.txt:179-192

To share the current URL and title (detected on the client-side):

	`<?php if ( function_exists( 'ADDTOANY_SHARE_SAVE_KIT' ) ) { 
		ADDTOANY_SHARE_SAVE_KIT( array( 'use_current_page' => true ) );
	} ?>`

To hardcode the shared current URL and modify the title (server-side):

	`<?php if ( function_exists( 'ADDTOANY_SHARE_SAVE_KIT' ) ) { 
		ADDTOANY_SHARE_SAVE_KIT( array( 
			'linkname' => is_home() ? get_bloginfo( 'description' ) : wp_title( '', false ),
			'linkurl'  => esc_url_raw( ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ),
		) );
	} ?>`



Both versions will use the malicious Host-Header as the domain.


Following code is part of the function A2A_SHARE_SAVE_link_vars( $linkname = false, $linkurl = false, $linkmedia = false, $use_current_page = false ).

add-to-any.php:72-81

	// Set linkurl
	if ( ! $linkurl ) {
		if ( $use_current_page ) {
			$linkurl = esc_url_raw ( ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
		} elseif ( isset( $post ) ) {
			$linkurl = get_permalink( $post->ID );
		} else {
			$linkurl = '';
		}
	}

add-to-any.php:83

	$linkurl_enc = rawurlencode( $linkurl );

add-to-any.php:88

	return compact( 'linkname', 'linkname_enc', 'linkurl', 'linkurl_enc', 'linkmedia', 'linkmedia_enc' );


Following code is part of the function function ADDTOANY_SHARE_SAVE_KIT( $args = array() ).

add-to-any.php:100

	$args = array_merge( $args, A2A_SHARE_SAVE_link_vars( $linkname, $linkurl, $linkmedia, $use_current_page ) ); // linkname_enc, etc.

add-to-any.php:108

	extract( $args );

add-to-any.php:173

	$kit_html = ADDTOANY_SHARE_SAVE_ICONS( $args );


Following code is part of the function ADDTOANY_SHARE_SAVE_ICONS( $args = array() ).

add-to-any.php:200

	$args = array_merge( $args, A2A_SHARE_SAVE_link_vars( $linkname, $linkurl, $linkmedia ) ); // linkname_enc, etc.

add-to-any.php:221

	extract( $args );

add-to-any.php:339

	$url = isset( $href ) ? $href : 'https://www.addtoany.com/add_to/' . $safe_name . '?linkurl=' . $linkurl_enc .'&amp;linkname=' . $linkname_enc;




Impact:

If the attacker would manage to poison the website cache, he could make the users share his website for fun and profit, include a malicious code on his website and get traffic on it through this or clone the website he is attacking with a squatted domain in order to log the login credentials of users, which don't notice it's not the real website.


Timeline:

16. Aug 2017 1:09 AM MESZ - Vendor contacted
16. Aug 2017 3:20 AM MESZ - Vendor answered and fixed it (Version 1.7.15)

Affects Plugin

fixed in version 1.7.15

References

URL https://plugins.trac.wordpress.org/changeset/1713858/add-to-any

Classification

Type UNKNOWN

Miscellaneous

Submitter Paul Dannewitz
Submitter Twitter padannewitz
Views 118
Verified No
WPVDB ID 8885

Timeline

Publicly Published 2017-08-16 (3 months ago)
Added 2017-08-16 (3 months ago)
Last Updated 2017-08-16 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.