Not Just Another Broken Link…

 

Introduction

 

wp1

 

Check Point researcher Dikla Barda recently discovered critical vulnerabilities in two widely used WordPress plugins: the Broken Link Checker and the Download Manager. These vulnerabilities allow:

  • Access to private data by unauthenticated users via Path Traversal.
  • Execution of malicious code and theft of user sessions via a stored XSS vulnerability.

 

Both plugins are widely deployed over 1.4 million web sites & they already issued a patch for these vulnerabilities.

 

Vulnerable WordPress plugins:

 

Broken Link Checker

 

Broken Link Checker is a plugin that monitors links on a website, including all pages, posts, and comments. Broken Link Checker notifies the administrator of any broken links that are found.

This plugin is very popular with WordPress website owners. There are over 400,000 active installations of the Broken Link Checker plugin, and more than 3 million downloads.

 

Download Manager

wp2

 

Download Manager is a plugin for managing files and documents. It is used as a complete e-commerce solution for selling digital products. There are over a million installations of Download Manager world-wide.

 

Description of the Vulnerabilities

 

Broken Link Checker

Check Point researchers discovered a persistent stored cross site scripting vulnerability, also known as a stored XSS, in the Broken Link Checker. Stored XSS occurs when a web application gathers potentially malicious input from a user and then stores it on the site. This vulnerability can be used by attackers to obtain a crafted link with malicious payload via the post / comment fields. The JavaScript code is executed when the site administrator attempts to enter the Broken Link Checker control panel.

 

Attack Vector:

 

  1. A user with low privilege injects the JavaScript code while posting on the site.

wp3

 

  1. The malicious JavaScript code is stored and will be executed when the administrator accesses the control panel.

wp4

 

  1. JavaScript injection Executes

wp5

 

Download Manager

 

The Download Manager plugin by default uses an add-on called Extended Short-codes. This generates a tree view of the server categories and current packages, allowing the administrator to navigate manually for any required data.

 

wp6

 

The add-on exposes a severe vulnerability that allows a malicious and unauthenticated user to browse the file system.

Researchers at Check Point discovered that by sending a crafted post request allows the user to view the content of any folder on the web server.

 

Attack Vector:

 

  1. The request vulnerability:

Within the site’s posting parameters, a user can request to view any directory from the webserver. An unauthorized user can send the same post request for any location on the server file system.

 

This example shows a request for the /etc/ folder:

Figure 7: Post Request Sent by an Attacker to View '/etc' folder

 

The not-so-surprising result:

Figure 8: WebServer Response with the FileSystem Tree

 

Attackers can use this method to get sensitive information from the server.

 

How can you protect your system against these vulnerabilities?

 

Check Point IPS currently protects against exploitation attempts of these vulnerabilities.

Protections names:

  1. “WordPress Download Manager Plugin Information Disclosure”
  2. “WordPress Broken Link Checker Plugin Cross-Site Scripting”

 

Check Point recommends updating your plugins to the latest version.

For the Broken Link Checker – v1.10.8 available here: https://wordpress.org/plugins/broken-link-checker/

For the Download Manager – v2.7.92 available here: https://wordpress.org/plugins/download-manager/


  1. This design is steller! You certainly know how to keep a reader amused.
    Between your wit and your videos, I was almost moved to
    start my own blog (well, almost…HaHa!) Fantastic job.
    I really enjoyed what you had to say, and more than that,
    how you presented it. Too cool!

Comments are closed.