Title: Two Content Injection vulnerabilities in Wordpress Plugin DTracker v1.5 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-03-08 |
CVE-ID:[CVE-2017-1002006][CVE-2017-1002007] |
CWE: CWE-306 Missing Authentication for Critical Function |
Download Site: https://wordpress.org/plugins/dtracker/ |
Vendor: https://profiles.wordpress.org/dijo/ |
Vendor Notified: 2017-03-09 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=186 |
Description: Track the details of the users downloading the pdf files from wordpress site. |
Vulnerability: CVE-2017-1002006:
In file dtracker/save_contact.php
Doesn't check that the user is authorized before injecting new contacts into the wp_contact table. A simple post request will allow any user to add new contacts. A malicious user could inject javascript into the database to be executed in the browser of the admin user.
$name = $_POST['name'];
$company = $_POST['company'];
$phone = $_POST['phone'];
$country = $_POST['country'];
$contact_id = $_POST['contact_id'];
$table = 'wp_contacts';
$data = array(
'name' => $name,
'company' => $company,
'phone' => $phone,
'country' => $country,
);
$where = array(
'id' => $contact_id
);
$wpdb->flush();
$wpdb->update( $table, $data, $where ); //Update the Contact
CVE-2017-1002007:
In file dtracker/save_mail.php
Doesn't check that the user is authorized before injecting new emails into the wp_contact table. A simple post request will allow any user to add new contacts. A malicious user could inject javascript into the database to be executed in the browser of the admin user.
$email = $_POST['email'];
$time = date('Y-m-d H:i:s');
$ip = $_SERVER [ 'REMOTE_ADDR' ] ; //get IP address of the visitor
$table = "wp_contacts";
$data = array (
'email' => $email,
'time' => $time,
'ip' => $ip
);
$wpdb->insert( $table, $data); //Insert Values
$contact_id = $wpdb->insert_id; //Get ID of the last inserted row
$data['contactId'] = $contact_id;
echo json_encode($data); //Pass the id to the JS |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: [dtracker.png] |
Notes: I imagine you could get RCE similar to some exploits targeting the Wordpress JSON API vulnerability Marc Montipas discovered. |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory