{"id":2825,"date":"2023-07-04T15:34:40","date_gmt":"2023-07-04T13:34:40","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=2825"},"modified":"2024-04-25T14:50:14","modified_gmt":"2024-04-25T12:50:14","slug":"cve-2023-34020-unauthenticated-open-redirect","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/cve-2023-34020-unauthenticated-open-redirect\/","title":{"rendered":"[CVE-2023-34020] Unauthenticated Open Redirect"},"content":{"rendered":"<\/span> 3<\/span> min read<\/span><\/span>

Views: 453<\/p>\n

<\/div>\n\n\n\n
\"open<\/figure>\n\n\n\n

Patchstack<\/strong> : https:\/\/patchstack.com\/database\/vulnerability\/uncanny-learndash-toolkit\/wordpress-uncanny-toolkit-for-learndash-plugin-3-6-4-3-open-redirection-vulnerability<\/a><\/p>\n\n\n\n

\n\n\n\n
<\/div>\n\n\n\n

Introduction :<\/h1>\n\n\n\n
<\/div>\n\n\n\n

La s\u00e9curit\u00e9<\/strong> est primordiale lorsqu’il s’agit de maintenir un site WordPress<\/a>. Les plugins<\/a> jouent un r\u00f4le crucial dans l’am\u00e9lioration des fonctionnalit\u00e9s, mais ils peuvent \u00e9galement introduire des vuln\u00e9rabilit\u00e9s<\/mark><\/strong> s’ils ne sont pas d\u00e9velopp\u00e9s et entretenus correctement. Dans cet article, nous allons explorer un cas r\u00e9el d’une vuln\u00e9rabilit\u00e9<\/mark><\/strong> que j’ai trouv\u00e9<\/a>.<\/p>\n\n\n\n

\n\n\n\n
<\/div>\n\n\n\n

Open redirect :<\/h1>\n\n\n\n
<\/div>\n\n\n\n

Open Redirect<\/a>, est une faille de s\u00e9curit\u00e9 qui permet \u00e0 des individus malveillants de d\u00e9tourner les m\u00e9canismes de redirection<\/mark><\/strong> d’un site web afin de rediriger les utilisateurs<\/mark><\/strong> vers des destinations non autoris\u00e9es. Cette vuln\u00e9rabilit\u00e9<\/mark><\/strong> survient lorsque l’application web accepte des URL externes ou des param\u00e8tres de redirection sans effectuer de validation ad\u00e9quate.<\/p>\n\n\n\n

Un attaquant pourrait manipuler le lien en y ins\u00e9rant une URL malveillante<\/mark><\/strong>. Lorsque l’utilisateur clique sur ce lien, il est alors redirig\u00e9 vers un site web malveillant<\/mark><\/strong>, sans se rendre compte de la manipulation en cours.<\/p>\n\n\n\n

<\/div>\n\n\n
\n
\"open<\/figure>\n<\/div>\n\n\n
\n\n\n\n
<\/div>\n\n\n\n

Analyse du code : <\/h1>\n\n\n\n
<\/div>\n\n\n\n

Ce code permet d’enregistrer un point endpoint<\/mark><\/strong> pour une API dans WordPress<\/strong>. Lorsqu’un utilisateur envoie une requ\u00eate GET \u00e0 l’URL \u00ab\u00a0http:\/\/target.com\/?rest_route=\/ult\/v2\/review-banner-visibility<\/mark><\/strong>\u00ab\u00a0, la fonction \u00ab\u00a0save_review_settings()<\/mark><\/strong>\u00a0\u00bb sera ex\u00e9cut\u00e9e pour traiter cette requ\u00eate sp\u00e9cifique. Il n’y a pas de restrictions de permission, ce qui signifie que tous les utilisateurs sont autoris\u00e9s \u00e0 acc\u00e9der \u00e0 cet endpoint<\/strong><\/mark>.<\/p>\n\n\n\n

<\/div>\n\n\n\n
public function uo_register_api() {\n\t\tregister_rest_route(\n\t\t\tUNCANNY_TOOLKIT_REST_API_END_POINT,\n\t\t\t'\/review-banner-visibility\/',\n\t\t\tarray(\n\t\t\t\t'methods'             => 'GET',\n\t\t\t\t'callback'            => array( $this, 'save_review_settings' ),\n\t\t\t\t'permission_callback' => '__return_true',\n\t\t\t)\n\t\t);\n\t}<\/code><\/pre>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Le code vuln\u00e9rable : <\/h1>\n\n\n\n
<\/div>\n\n\n\n
La vuln\u00e9rabilit\u00e9 r\u00e9sidait dans la fonction save_review_settings()<\/mark><\/strong> et dans l’utilisation directe du param\u00e8tre redirect_url<\/mark> <\/strong>dans la fonction wp_redirect()<\/mark><\/strong>. Cela permettait aux attaquants de manipuler le param\u00e8tre redirect_url<\/mark><\/strong> et de rediriger les utilisateurs vers n’importe quel site Web de leur choix, pouvant contenir du contenu malveillant ou des activit\u00e9s frauduleuses.<\/p>\n\n\n\n
<\/div>\n\n\n\n
public function save_review_settings( $request ) {\n\n\t\t\/\/ Check if its a valid request.\n\t\t$action = $request->get_param( 'action' );\n\n\t\t$redirect = $request->get_param( 'redirect' );\n\n\t\t$redirect_url = $request->get_param( 'redirect_url' );\n\n\t\t$visiblity_actions = array( 'maybe-later', 'hide-forever' );\n\n\t\t[REDACTED]\n\n\t\t\tif ( 'yes' === $redirect ) {\n\n\t\t\t\t\/\/ Return the refering url if its empty.\n\t\t\t\tif ( empty( $redirect_url ) ) {\n\n\t\t\t\t\t$redirect_url = wp_get_referer();\n\n\t\t\t\t}\n\n\t\t\t\twp_redirect( $redirect_url ); \/\/phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect\n\n\t\t\t\texit;\n\n\t\t\t}\n        [REDACTED]<\/code><\/pre>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
La preuve de concept (POC) : <\/h1>\n\n\n\n
<\/div>\n\n\n\n
Pour d\u00e9montrer la vuln\u00e9rabilit\u00e9<\/mark><\/strong>, voici la requ\u00eate en int\u00e9gralit\u00e9 ainsi qu’un screen montrant la requ\u00eate la r\u00e9ponse du serveur, nous sommes donc bien redirig\u00e9 vers https:\/\/mikadmin.fr<\/a>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
http:\/\/target.com\/?rest_route=\/ult\/v2\/review-banner-visibility&action=maybe-later&redirect=yes&redirect_url=https:\/\/mikadmin.fr<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Protection et correctif :<\/h1>\n\n\n\n
<\/div>\n\n\n\n
Pour rem\u00e9dier \u00e0 cette vuln\u00e9rabilit\u00e9, il est crucial de s’assurer que toutes les entr\u00e9es fournies par l’utilisateur, y compris le param\u00e8tre redirect_url<\/mark><\/strong>, subissent une validation et une sanitisation<\/strong> approfondies avant d’\u00eatre utilis\u00e9es dans une redirection. WordPress propose des fonctions telles que wp_validate_redirect()<\/mark><\/strong> ou esc_url()<\/mark><\/strong> qui peuvent \u00eatre utilis\u00e9es pour valider et nettoyer les URL, r\u00e9duisant ainsi le risque d’Open Redirect<\/strong>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
Voici le correctif propos\u00e9 par le plugin :<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
<\/div>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
<\/div>\n","protected":false},"excerpt":{"rendered":"
<\/span>  3<\/span> min read<\/span><\/span>Mika discovered and reported this Open Redirection. This could allow a malicious actor to redirect users from one site to the other due to the redirect URL not being validated. Users could be tricked to visiting a legitimate site to then be redirected to a malicious site and cause a phishing incident. This vulnerability has been fixed in version 3.6.4.4. Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":2907,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4],"tags":[64,76,5,84,83,45,10,75],"class_list":["post-2825","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-cve","tag-findings","tag-infosec","tag-open-redirect","tag-patchstack","tag-pentest","tag-security","tag-wordpress"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/2825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=2825"}],"version-history":[{"count":1,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/2825\/revisions"}],"predecessor-version":[{"id":3112,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/2825\/revisions\/3112"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/2907"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=2825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=2825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=2825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}