what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress WP-Ban 1.62 Bypass

WordPress WP-Ban 1.62 Bypass
Posted Sep 17, 2014
Authored by Tom Adams

WordPress WP-Ban plugin version 1.62 suffers from a bypass vulnerability when a properly minted X-Forwarded-For header is used.

tags | exploit, bypass
advisories | CVE-2014-6230
SHA-256 | 993efa6dd07b224e9bb5b8fdab33d68bb547334c234e6e0ca083f1086bcc1733

WordPress WP-Ban 1.62 Bypass

Change Mirror Download
Details
================
Software: WP-Ban
Version: 1.62
Homepage: http://wordpress.org/plugins/wp-ban/
Advisory report: https://security.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
CVE: CVE-2014-6230
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations

Vulnerability
================
This plugin allows blacklisting users based on their IP address, however it takes the IP address from the X-Forwarded-For header if available.
Not all Web server configurations will strip or replace X-Forwarded-For headers – in which case the IP ban can be bypassed by sending this header. This plugin therefore only works in certain configurations, but does not warn admins of this fact.

Proof of concept
================

Visit http://localhost/wp-admin/admin.php?page=wp-ban/ban-options.php
Set “Banned IPs” to “127.0.0.1″
Execute “curl http://localhost/\" and see the “You Are Banned” message
Execute “curl http://localhost/ -H \'X-Forwarded-For: 999.999.999.999\'\" and see that it displays the page

Note that this will not work if your Web server sets or strips X-Forwarded-For headers.
(To remove the IP blacklist run this SQL: “delete from wp_options where option_name=\'banned_ips\';\")

Mitigations
================
Upgrade to version 1.6.4 or later.
If a reverse-proxy is used, check the “I am using a reverse proxy” box in the plugin settings, and ensure that X-Forwarded-For headers are being set even if the request already contains an X-Forwarded-For header.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-08-27: Discovered
2014-09-04: Reported to vendor by email
2014-09-04: Requested CVE
2014-09-04: Vendor responded
2014-09-17: Vendor reported a fixed version released
2014-09-17: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.




Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close