Vulners
Lucene search
WordPress Add From Server 6.2 Cross Site Request Forgery
`------------------------------------------------------------------------
Cross-Site Request Forgery vulnerability in Add From Server WordPress
Plugin
------------------------------------------------------------------------
Edwin Molenaar, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that Add From Server is vulnerabile to Cross-Site
Request Forgery. It can be exploited by luring the target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement). An attacker can use this issue to add illegal content to
the victims server, or add very large files to the victim's server to
exaust the amount of avalible disk space.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160718-0004
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Add From Server WordPress
Plugin version 6.2.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Add From Server version 3.3.2.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_add_from_server_wordpress_plugin.html
When a (media) file is added from the server, the source is not validated. This means that not only files from the localhost can be added, but also from other sources. The affected code is not protected with an anti-Cross-Site Request Forgery token.
The function handle_imports() only removes slashes. The vulnerability exists in the file add-from-server/class.add-from-server.php (line 213). Because slashes are removed, the file that will be uploaded must exist in the server root. For example: www.example.com/largefile.txt
The host and filename will be set in a separate parameter, so no slashes are needed.
Proof of concept
POST /wp-admin/upload.php?page=add-from-server HTTP/1.1
Host: <target>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
files%5B%5D=largefile.txt&import-date=current&cwd=www.example.com&import=Import
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Aug 2016 00:00Current
0.2Low risk
Vulners AI Score0.2