BuddyPress Social Connect by VibeThemes WordPress plugin Authentication Bypass
LANAVDB ID: 1bd0dfd9-ffec-4d69-bc55-286751300cab
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.
Let’s check the plugin
The bp_social_connect_facebook class add the following action hook:
The bp_social_connect_facebook_login() function includes the following request handling:
extract( $_POST );
This code in PHP extracts the values submitted through the POST method and assigns them to variables.
The function then tries to find the user based on the user ID received from Facebook, and if there is such a user, it logs the user in. It then tries to find the user based on the email received from Facebook. If there is such a user, it logs the user in:
The function doesn’t have any verification that the data is from Facebook. This means that we can enter any arbitrary value in the request, it is not verified by the function. This means that if we specify the user’s email in the request, it will immediately log us in as the user without verification.
Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
BuddyPress Social Connect by VibeThemes WordPress plugin Authentication Bypass
LANAVDB ID: 1bd0dfd9-ffec-4d69-bc55-286751300cab
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.
Let’s check the plugin
The
bp_social_connect_facebookclass add the following action hook:The
bp_social_connect_facebook_login()function includes the following request handling:This code in PHP extracts the values submitted through the POST method and assigns them to variables.
The function then tries to find the user based on the user ID received from Facebook, and if there is such a user, it logs the user in. It then tries to find the user based on the email received from Facebook. If there is such a user, it logs the user in:
The function doesn’t have any verification that the data is from Facebook. This means that we can enter any arbitrary value in the request, it is not verified by the function.
This means that if we specify the user’s email in the request, it will immediately log us in as the user without verification.
Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
The HTTP request to the https://lana.solutions/vdb/vibethemes-bp-social-connect/ which is a test WordPress website:
Note: We find the security value (the nonce), in the head as input hidden html.
The exploit script
I created a Python script that returns the WordPress logged_in and auth cookie:
Source: vibethemes_bp_social_connect_plugin_vdb_get_exploit_cookie.py
How to use:
We get something like this:
Then all we have to do is set the cookie using the browser’s Developer Tools on the website, which in our case is https://lana.solutions/vdb/vibethemes-bp-social-connect/
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Website: https://lana.solutions/vdb/vibethemes-bp-social-connect/
References
Attributes
Classification
Researcher
Tags
authentication bypass exploit wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
Let's discuss
Hey, you’re reading a publication about social login. Maybe you’re interested in our secure Lana Login with Telegram Passport plugin?
Buy it ($9) from CodeCanyon.net