| Affected plugin | Magic Login Pro |
| Active installs | Unknown |
| Vulnerable version | <= 1.4.1 |
| Audited version | 1.4.1 |
| Fully patched version | 1.5 |
| Recommended remediation | Upgrade to version 1.5 or higher |
Description
The plugin uses the current IP address to rate limit login requests.
The implementation is vulnerable to IP spoofing, which an attacker can use to ban arbitrary users or the site’s reverse proxy from accessing the login page.
Proof of concept
The plugin uses the “get_client_ip” function everywhere it needs access to the current IP address.
function get_client_ip() {
if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
return $_SERVER['HTTP_X_FORWARDED_FOR'];
}
return $_SERVER['REMOTE_ADDR'];
}This method blindly reads the IP address from the X-Forwarded-For header which is entirely user-controlled.
Proposed patch
This is described in great length in this article of us.
Summary: Only ever use REMOTE_ADDR to access to current IP.
Timeline
| Vendor contacted | September 07, 2022 |
| First Response | September 07, 2022 |
| Fully patched at | September 12, 2022 |
| Publicly disclosed | April 24, 2023 |
Miscellaneous
- The vendor has shown exceptional cooperation and implemented our proposed patches within less than four business days.
- The vendor did not hide the vulnerability in his release notes and urged all users to update immediately.
Leave a Reply