WordPress Spam Free plugin version 1.9.2 suffers from a filter bypass due to letting the client define the "comment" source IP address as a variable being passed to the server.
a4bff041963cdaab3664b99e8efe9ad4aed56f50b5b3e27f611f817c324772e51-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
=======================================================
Vulnerable software: Spam Free Wordpress plugin Version 1.9.2
Download link: http://wordpress.org/extend/plugins/spam-free-wordpress/
Vuln: IP based Blocklist restriction Bypass.
=======================================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
=======================================================
About vuln:
This plugin "trusts" to client side.
Due this issuse this is possible to bypass IP blocklist.(if used)
/spam-free-wordpress/includes/functions.php
==================SNIP========================
// Function for wp-comments-post.php file located in the root Wordpress directory. The same directory as the wp-config.php file.
function sfw_comment_post_authentication() {
global $post, $sfw_options;
//$sfw_comment_script = get_post_meta( $post->ID, 'sfw_comment_form_password', true );
$sfw_comment_script = get_transient( $post->ID. '-' .$_POST['pwdfield'] );
$cip = $_POST['comment_ip'];
// If the reader is logged in don't require password for wp-comments-post.php
if( !is_user_logged_in() ) {
// Nonce check
if( empty( $_POST['sfw_comment_nonce'] ) || !wp_verify_nonce( $_POST['sfw_comment_nonce'],'sfw_nonce' ) )
wp_die( __( 'Spam Free Wordpress rejected your comment because you failed a critical security check.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) );
// Compares current comment form password with current password for post
if( empty( $_POST['pwdfield'] ) || $_POST['pwdfield'] != $sfw_comment_script )
wp_die( __( 'Spam Free Wordpress rejected your comment because you did not enter the correct password or it was empty.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) );
// Compares commenter IP address to local blocklist
if( empty( $_POST['comment_ip'] ) || $_POST['comment_ip'] == sfw_local_blocklist_check( $cip ) )
wp_die( __( 'Comment blocked by Spam Free Wordpress because your IP address is in the local blocklist, or you forgot to type a comment.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Blocked by Spam Free Wordpress local blocklist', array( 'response' => 200, 'back_link' => true ) );
}
===============EOF SNIP=========================
Proof of concept video about this vulnerability can be found here:
http://www.youtube.com/watch?v=vbUzJS0EdFA&feature=youtu.be
FULL PATH DISCLOSURES:
Direct access:
http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//comments.php
Fatal error: Call to a member function sfw_comment_form_header() on a non-object in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/comments.php on line 8
http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//admin/class-menu.php
Fatal error: Call to undefined function add_action() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/admin/class-menu.php on line 9
http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//tl-spam-free-wordpress.php
Fatal error: Call to undefined function __() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/tl-spam-free-wordpress.php on line 24
http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//includes/functions.php
Fatal error: Call to undefined function add_filter() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/includes/functions.php on line 269
Theris also XSS vulnerability when inserting API key(License key).
But in fact it isn't exploitable due usage of "wp_nonce" ANTI-CSRF token.
================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
================================================
/AkaStep
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed