Make WordPress Core

Opened 17 months ago

Last modified 14 months ago

#57451 new defect (bug)

Cross Site Request Forgery on Admin of any wordpress site to export files

Reported by: f41z4n's profile f41z4n Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version:
Component: Export Keywords: needs-patch
Focuses: administration Cc:

Description (last modified by sabernhardt)

[Marked as No Impact By WordPress Hackerone Team]

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing

Steps To Reproduce:

  1. Login to WordPress Backend as an Admin
  2. Go-to Tools > Export > Select what to export
  3. Select the Data you want to export. Capture this request using a web-proxy like BurpSuite
  4. Since this is a GET request, Copy the URL to which request is made.
  5. Send this URL to another admin or user with equal rights.
  6. When he clicks on the URL, he shall download the file automatically.

The endpoint vulnerable:
http://<your_wp.com>/wp-admin/export.php?download=true&content=all&cat=0&post_author=2&post_start_date=0&post_end_date=0&post_status=0&page_author=0&page_start_date=0&page_end_date=0&page_status=0&attachment_start_date=0&attachment_end_date=0&submit=Download+Export+File

Recommendations
Enforce CSRF protection like wpNonce Token for file export endpoint.

Impact
Unauthorised File Download on an administrator's PC
An attacker can write a script which sends 100s of GET requests at once to the endpoint, and share the script to another user, and when he downloads 100 files at once, it shall also consume his disk space

Attachments (1)

Untitled (4).mp4 (5.6 MB) - added by f41z4n 17 months ago.

Change History (4)

@f41z4n
17 months ago

#1 @sabernhardt
16 months ago

  • Component changed from General to Export
  • Description modified (diff)

#2 @johnbillion
16 months ago

  • Severity changed from major to minor
  • Version 6.1.1 deleted

#3 @f41z4n
14 months ago

Hi @johnbillion @sabernhardt , Wordfence Team has agreed to issue a CVE for this missing CSRF check once this vulnerability gets patched in the core. May I have an estimated timeline, as the vulnerability is already publicly exposed here in the tracker?

More potential Impact:

1) An IT admin running a wordpress on VPS and using the same VPS to login to the wordpress backend , when he clicks on this link, he will download the file to VPS, unwanted. VPS can be limited in storage as its main purpose is to run the application, for storage IT admins often attack additional storage medias, like S3 in amazon, which is separate from the host application machine. A significant number of downloads of a large log file( increase the amount of duration for logs in CSRF link will create a huge size log file) will degrade the performance of VPS cause it now has less space to run the application itself.

2) An IT admin who is logged in wordpress from his own PC. If an attacker sends him a crafted link that can open 10 tabs at once and all together start downloading his wordpress log files, it might get little problematic for him.And if his IT team use to check logs of WordPress- this is generally part of audits, where you check the activity of admin users, this might land him in tough times, as to why did he initiate the log downloads when he wasn’t supposed to. Further this will definitely also occupy space on his laptop too. A significant log file and downloads might occupy a huge space which can become an issue for the end user cause he needs to manually remove the file from his pc for a download he didn’t initiate.

Note: See TracTickets for help on using tickets.