exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Spam Free 1.9.2 Filter Bypass

WordPress Spam Free 1.9.2 Filter Bypass
Posted Jan 5, 2013
Authored by Akastep

WordPress Spam Free plugin version 1.9.2 suffers from a filter bypass due to letting the client define the "comment" source IP address as a variable being passed to the server.

tags | exploit, bypass
SHA-256 | a4bff041963cdaab3664b99e8efe9ad4aed56f50b5b3e27f611f817c324772e5

WordPress Spam Free 1.9.2 Filter Bypass

Change Mirror Download
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

=======================================================
Vulnerable software: Spam Free Wordpress plugin Version 1.9.2
Download link: http://wordpress.org/extend/plugins/spam-free-wordpress/
Vuln: IP based Blocklist restriction Bypass.
=======================================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
=======================================================
About vuln:
This plugin "trusts" to client side.
Due this issuse this is possible to bypass IP blocklist.(if used)

/spam-free-wordpress/includes/functions.php
==================SNIP========================
// Function for wp-comments-post.php file located in the root Wordpress directory. The same directory as the wp-config.php file.
function sfw_comment_post_authentication() {
global $post, $sfw_options;

//$sfw_comment_script = get_post_meta( $post->ID, 'sfw_comment_form_password', true );
$sfw_comment_script = get_transient( $post->ID. '-' .$_POST['pwdfield'] );

$cip = $_POST['comment_ip'];

// If the reader is logged in don't require password for wp-comments-post.php
if( !is_user_logged_in() ) {
// Nonce check
if( empty( $_POST['sfw_comment_nonce'] ) || !wp_verify_nonce( $_POST['sfw_comment_nonce'],'sfw_nonce' ) )
wp_die( __( 'Spam Free Wordpress rejected your comment because you failed a critical security check.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) );

// Compares current comment form password with current password for post
if( empty( $_POST['pwdfield'] ) || $_POST['pwdfield'] != $sfw_comment_script )
wp_die( __( 'Spam Free Wordpress rejected your comment because you did not enter the correct password or it was empty.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) );

// Compares commenter IP address to local blocklist
if( empty( $_POST['comment_ip'] ) || $_POST['comment_ip'] == sfw_local_blocklist_check( $cip ) )
wp_die( __( 'Comment blocked by Spam Free Wordpress because your IP address is in the local blocklist, or you forgot to type a comment.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Blocked by Spam Free Wordpress local blocklist', array( 'response' => 200, 'back_link' => true ) );

}

===============EOF SNIP=========================

Proof of concept video about this vulnerability can be found here:


http://www.youtube.com/watch?v=vbUzJS0EdFA&feature=youtu.be





FULL PATH DISCLOSURES:
Direct access:

http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//comments.php

Fatal error: Call to a member function sfw_comment_form_header() on a non-object in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/comments.php on line 8

http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//admin/class-menu.php

Fatal error: Call to undefined function add_action() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/admin/class-menu.php on line 9

http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//tl-spam-free-wordpress.php

Fatal error: Call to undefined function __() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/tl-spam-free-wordpress.php on line 24

http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//includes/functions.php

Fatal error: Call to undefined function add_filter() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/includes/functions.php on line 269


Theris also XSS vulnerability when inserting API key(License key).
But in fact it isn't exploitable due usage of "wp_nonce" ANTI-CSRF token.


================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close