WP OAuth Server (Login with WordPress) by miniOrange WordPress plugin Authentication Bypass
REPORT ID: 6d794d65-d44b-4099-94c5-3dd2995b218c
The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the client’s website.
Let’s check the plugin
The _mo_get_logged_user_from_auth_cookie() function gets the logged in user with the following code:
We can see from the code that it uses the wp_parse_auth_cookie() function. Which is a completely faulty use in this case, as it does not use authentication. Description of the function:
Authentication cookie components. None of the components should be assumed to be valid as they come directly from a client-provided cookie value.
It is clearly described that the returned value is not validated. But the plugin doesn’t use any validation.
Let’s see how we can exploit this vulnerability
All we have to do is set a logged in cookie that contains the username. The other values can be anything, as there is no validation in the plugin.
Run the above command in the Linux (desktop version) terminal.
How the exploit works step by step:
Opens OAuth server website
Sets the logged in cookie with the “test” username
Opens OAuth client website
Click Single Sign On button (so it starts OAuth authentication)
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
WP OAuth Server (Login with WordPress) by miniOrange WordPress plugin Authentication Bypass
REPORT ID: 6d794d65-d44b-4099-94c5-3dd2995b218c
The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the client’s website.
Let’s check the plugin
The
_mo_get_logged_user_from_auth_cookie()
function gets the logged in user with the following code:We can see from the code that it uses the
wp_parse_auth_cookie()
function. Which is a completely faulty use in this case, as it does not use authentication. Description of the function:It is clearly described that the returned value is not validated. But the plugin doesn’t use any validation.
Let’s see how we can exploit this vulnerability
All we have to do is set a logged in cookie that contains the username. The other values can be anything, as there is no validation in the plugin.
The default logged in cookie name is:
where the hash is:
So in the https://lana.solutions/vdb/miniorange-oauth-server which is a test WordPress website:
57a442d3cd2a47583304a69461f75869, which is the result of the following function:
If we set the following cookie, we can authenticate ourselves as a test user on the OAuth server:
Then all we have to do is set the cookie using the browser’s Developer Tools on the server’s website
So we can even do this through a browser by opening the server’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-server/.
Then open the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/wp-admin and log in using the Single Sign On button.
The professional exploit script
I created a Python script with Selenium that exploits the vulnerability and automatically opens the webpage in Google Chrome:
Source: miniorange_oauth_server_plugin_vdb_exploit_with_selenium.py
How to use:
Run the above command in the Linux (desktop version) terminal.
How the exploit works step by step:
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Client: https://lana.solutions/vdb/miniorange-oauth-client/
Server: https://lana.solutions/vdb/miniorange-oauth-server/
References
Let's discuss
Attributes
Classification
Researcher
Tags
authentication bypass exploit oauth php python wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
Hey, you’re reading a publication about OAuth. Maybe you’re interested in our secure OAuth server plugin?
Buy it ($89) from CodeCanyon.net