OAuth Single Sign On – SSO (OAuth Client) by miniOrange WordPress plugin Authentication Bypass
LANAVDB ID: 12bb3c02-45f1-4ce8-8a5a-8b44352cf7fc
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.
Let’s check the plugin
The mo_oauth_login_validate() function includes the following request handling:
if ( isset( $_REQUEST['option'] ) and strpos( $_REQUEST['option'], 'mooauth' ) !== false ) {
$user_email = '';
if ( array_key_exists( 'email', $_POST ) ) {
$user_email = sanitize_email( $_POST['email'] );
}
if ( $user_email ) {
if ( email_exists( $user_email ) ) { // user is a member
$user = get_user_by( 'email', $user_email );
$user_id = $user->ID;
wp_set_auth_cookie( $user_id, true );
} else { // this user is a guest
$random_password = wp_generate_password( 10, false );
$user_id = wp_create_user( $user_email, $random_password, $user_email );
wp_set_auth_cookie( $user_id, true );
}
}
wp_redirect( home_url() );
exit;
}
We can see from the code that if we specify $_POST['email'], the plugin will log the user in using the wp_set_auth_cookie() function. No verification or authentication. Nothing.
The other problem with the plugin is that if we give an email address in the request that does not exist in the database, it will create a new user, even if registration on the WordPress website is not enabled.
Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
Run the above command in the Linux (desktop version) terminal.
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
OAuth Single Sign On – SSO (OAuth Client) by miniOrange WordPress plugin Authentication Bypass
LANAVDB ID: 12bb3c02-45f1-4ce8-8a5a-8b44352cf7fc
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.
Let’s check the plugin
The
mo_oauth_login_validate()
function includes the following request handling:We can see from the code that if we specify
$_POST['email']
, the plugin will log the user in using thewp_set_auth_cookie()
function. No verification or authentication. Nothing.The other problem with the plugin is that if we give an email address in the request that does not exist in the database, it will create a new user, even if registration on the WordPress website is not enabled.
Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
The HTTP request to the https://lana.solutions/vdb/miniorange-oauth-client/ which is a test WordPress website:
The exploit script
I created a Python script that returns the WordPress logged_in and auth cookie:
Source: miniorange_oauth_client_plugin_vdb_get_exploit_cookie.py
How to use:
Run the above command in the Linux terminal.
We get something like this:
Then all we have to do is set the cookie using the browser’s Developer Tools on the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/
The professional exploit script
I also created a Python script with Selenium that exploits the vulnerability and automatically opens the webpage in Google Chrome:
Source: miniorange_oauth_client_plugin_vdb_exploit_with_selenium.py
How to use:
Run the above command in the Linux (desktop version) terminal.
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Client: https://lana.solutions/vdb/miniorange-oauth-client/
Server: https://lana.solutions/vdb/miniorange-oauth-server/
Additional tests
I created a Postman request for exploit: Postman Web – MiniOrange Auth Request
Can be used by anyone after fork. The required variables are stored in the collection.
References
Attributes
Classification
Researcher
Tags
authentication bypass exploit php python wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
Let's discuss
Hey, you’re reading a publication about OAuth. Maybe you’re interested in our secure OAuth server plugin?
Buy it ($79) from CodeCanyon.net