CVE-2023-34020 - Open Redirect Vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash – Details, Exploit, and Fix

CVE-2023-34020 is a serious security flaw found in the Uncanny Owl Uncanny Toolkit for LearnDash WordPress plugin. This vulnerability allows attackers to perform Open Redirects, tricking users into visiting malicious websites. Anyone using the plugin versions up to and including 3.6.4.3 is at risk.

Understanding the Issue: Open Redirect

An Open Redirect happens when an application lets users supply a URL that they will be sent to, without checks or restrictions. This is dangerous, as attackers can:

Steal credentials or install malware.

In the case of Uncanny Toolkit for LearnDash, certain URLs handled by the plugin can be manipulated to send users wherever the attacker wants.

Sample Exploitation

Let’s look at an example of how an attacker could exploit this flaw.

A copy-paste exploit URL might look like

https://YOURWORDPRESSSITE.com/?redirect_to=https://evil.com

Here’s a basic look at how such buggy PHP code might look

// Simulated vulnerable code
if (isset($_GET['redirect_to'])) {
    $url = $_GET['redirect_to'];
    header("Location: " . $url); // Redirects anywhere, even outside your site!
    exit;
}

What’s wrong?
There’s no check to see if $url points to a safe or allowed place.

Real-World Attack Scenario

Let’s say your site is mycourses.com and you use the Uncanny Toolkit for LearnDash. An attacker can email your users:

> "Click here to see your new courses:
> https://mycourses.com/?redirect_to=https://phishing.com/login"

To a normal user, this looks safe at first. But after clicking, they land on a phishing site, possibly losing their passwords.

Official References and Security Advisories

- Patchstack Security Advisory
- NVD Entry for CVE-2023-34020
- Uncanny Owl Official Plugin Page

Search your site for any usage of redirect_to or similar parameters.

- If unsure, ask a developer to review your code/plugin usage.

How the Patch Works (Behind the Scenes)

In the fixed version, developers typically “whitelist” redirects or only allow redirects to their own domain.

Safer PHP redirect example

if (isset($_GET['redirect_to'])) {
    $url = $_GET['redirect_to'];
    // Only allow redirects within your own site
    if (strpos($url, home_url()) === ) {
        header("Location: $url");
    } else {
        header("Location: " . home_url());
    }
    exit;
}

Now, no more redirects to external sites!

Got Questions?

If you need more details, consult the links above, or reach out via the WordPress Plugin Support Forum.

Stay safe, and always keep your plugins up to date!

Timeline

Published on: 03/27/2024 14:15:08 UTC
Last modified on: 03/27/2024 15:49:41 UTC