WordPress Spam Free 1.9.2 Filter Bypass

2013.01.08
Credit: AkaStep
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm AkaStep member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ======================================================= Vulnerable software: Spam Free Wordpress plugin Version 1.9.2 Download link: http://wordpress.org/extend/plugins/spam-free-wordpress/ Vuln: IP based Blocklist restriction Bypass. ======================================================= Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH ======================================================= About vuln: This plugin "trusts" to client side. Due this issuse this is possible to bypass IP blocklist.(if used) /spam-free-wordpress/includes/functions.php ==================SNIP======================== // Function for wp-comments-post.php file located in the root Wordpress directory. The same directory as the wp-config.php file. function sfw_comment_post_authentication() { global $post, $sfw_options; //$sfw_comment_script = get_post_meta( $post->ID, 'sfw_comment_form_password', true ); $sfw_comment_script = get_transient( $post->ID. '-' .$_POST['pwdfield'] ); $cip = $_POST['comment_ip']; // If the reader is logged in don't require password for wp-comments-post.php if( !is_user_logged_in() ) { // Nonce check if( empty( $_POST['sfw_comment_nonce'] ) || !wp_verify_nonce( $_POST['sfw_comment_nonce'],'sfw_nonce' ) ) wp_die( __( 'Spam Free Wordpress rejected your comment because you failed a critical security check.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) ); // Compares current comment form password with current password for post if( empty( $_POST['pwdfield'] ) || $_POST['pwdfield'] != $sfw_comment_script ) wp_die( __( 'Spam Free Wordpress rejected your comment because you did not enter the correct password or it was empty.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) ); // Compares commenter IP address to local blocklist if( empty( $_POST['comment_ip'] ) || $_POST['comment_ip'] == sfw_local_blocklist_check( $cip ) ) wp_die( __( 'Comment blocked by Spam Free Wordpress because your IP address is in the local blocklist, or you forgot to type a comment.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Blocked by Spam Free Wordpress local blocklist', array( 'response' => 200, 'back_link' => true ) ); } ===============EOF SNIP========================= Proof of concept video about this vulnerability can be found here: http://www.youtube.com/watch?v=vbUzJS0EdFA&feature=youtu.be FULL PATH DISCLOSURES: Direct access: http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//comments.php Fatal error: Call to a member function sfw_comment_form_header() on a non-object in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/comments.php on line 8 http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//admin/class-menu.php Fatal error: Call to undefined function add_action() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/admin/class-menu.php on line 9 http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//tl-spam-free-wordpress.php Fatal error: Call to undefined function __() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/tl-spam-free-wordpress.php on line 24 http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//includes/functions.php Fatal error: Call to undefined function add_filter() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/includes/functions.php on line 269 Theris also XSS vulnerability when inserting API key(License key). But in fact it isn't exploitable due usage of "wp_nonce" ANTI-CSRF token. ================================================ SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS: ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep

References:

http://www.youtube.com/watch?v=vbUzJS0EdFA&feature=youtu.be


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top