Quantcast
Channel: BOT24
Viewing all articles
Browse latest Browse all 8064

Spam Free Wordpress plugin Version 1.9.2 Vulnerability (Video Link Included)

$
0
0
=======================================================
Vulnerable software: Spam Free Wordpress plugin Version 1.9.2
Download link: http://wordpress.org/extend/plugins/spam-free-wordpress/
Vuln: IP based Blocklist restriction Bypass.
=======================================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
=======================================================
About vuln:
This plugin "trusts" to client side.
Due this issuse this is possible to bypass IP blocklist.(if used)

/spam-free-wordpress/includes/functions.php
==================SNIP========================
// Function for wp-comments-post.php file located in the root Wordpress directory. The same directory as the wp-config.php file.
function sfw_comment_post_authentication() {
global $post, $sfw_options;

//$sfw_comment_script = get_post_meta( $post->ID, 'sfw_comment_form_password', true );
$sfw_comment_script = get_transient( $post->ID. '-' .$_POST['pwdfield'] );

$cip = $_POST['comment_ip'];

// If the reader is logged in don't require password for wp-comments-post.php
if( !is_user_logged_in() ) {
// Nonce check
if( empty( $_POST['sfw_comment_nonce'] ) || !wp_verify_nonce( $_POST['sfw_comment_nonce'],'sfw_nonce' ) )
wp_die( __( 'Spam Free Wordpress rejected your comment because you failed a critical security check.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) );

// Compares current comment form password with current password for post
if( empty( $_POST['pwdfield'] ) || $_POST['pwdfield'] != $sfw_comment_script )
wp_die( __( 'Spam Free Wordpress rejected your comment because you did not enter the correct password or it was empty.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Free Wordpress rejected your comment', array( 'response' => 200, 'back_link' => true ) );

// Compares commenter IP address to local blocklist
if( empty( $_POST['comment_ip'] ) || $_POST['comment_ip'] == sfw_local_blocklist_check( $cip ) )
wp_die( __( 'Comment blocked by Spam Free Wordpress because your IP address is in the local blocklist, or you forgot to type a comment.', 'spam-free-wordpress' ) . sfw_spam_counter(), 'Spam Blocked by Spam Free Wordpress local blocklist', array( 'response' => 200, 'back_link' => true ) );

}

===============EOF SNIP=========================

Proof of concept video about this vulnerability can be found here:


http://www.youtube.com/watch?v=vbUzJS0EdFA&feature=youtu.be





FULL PATH DISCLOSURES:
Direct access:

http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//comments.php

Fatal error: Call to a member function sfw_comment_form_header() on a non-object in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/comments.php on line 8

http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//admin/class-menu.php

Fatal error: Call to undefined function add_action() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/admin/class-menu.php on line 9

http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//tl-spam-free-wordpress.php

Fatal error: Call to undefined function __() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/tl-spam-free-wordpress.php on line 24

http://hacker1.own/wp/wp-content/plugins/spam-free-wordpress//includes/functions.php

Fatal error: Call to undefined function add_filter() in /etc/apache2/htdocs/hacker1/wp/wp-content/plugins/spam-free-wordpress/includes/functions.php on line 269


Theris also XSS vulnerability when inserting API key(License key).
But in fact it isn't exploitable due usage of "wp_nonce" ANTI-CSRF token.


================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
           To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep member from Inj3ct0r Team




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information


Viewing all articles
Browse latest Browse all 8064

Trending Articles