[wp-trac] [WordPress Trac] #57451: Cross Site Request Forgery on Admin of any wordpress site to export files
WordPress Trac
noreply at wordpress.org
Wed Feb 15 00:23:48 UTC 2023
#57451: Cross Site Request Forgery on Admin of any wordpress site to export files
--------------------------+------------------------------
Reporter: f41z4n | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Export | Version: 6.1.1
Severity: major | Resolution:
Keywords: needs-patch | Focuses: administration
--------------------------+------------------------------
Changes (by sabernhardt):
* component: General => Export
Old description:
> [Marked as No Impact By WordPress Hackerone Team]
>
> Cross-Site Request Forgery (CSRF) is an attack that forces an end user to
> execute unwanted actions on a web application in which they’re currently
> authenticated. With a little help of social engineering (such as sending
> a link via email or chat), an attacker may trick the users of a web
> application into executing actions of the attacker’s choosing
> Steps To Reproduce:
>
> 1. Login to WordPress Backend as an Admin
> 2. Go-to Tools > Export> Select what to export
> 3. Select the Data you want to export. Capture this request using a web-
> proxy like BurpSuite
> 4. Since this is a GET request, Copy the URL to which request is made.
> 5. Send this URL to another admin or user with equal rights.
> 6. When he clicks on the URL, he shall download the file automatically.
>
> The endpoint vulnerable:
> http://<your_wp.com>/wp-
> admin/export.php?download=true&content=all&cat=0&post_author=2&post_start_date=0&post_end_date=0&post_status=0&page_author=0&page_start_date=0&page_end_date=0&page_status=0&attachment_start_date=0&attachment_end_date=0&submit=Download+Export+File
>
> Recommendations
> Enforce CSRF protection like wpNonce Token for file export endpoint.
>
> Impact
> Unauthorised File Download on an administrator's PC
> An attacker can write a script which sends 100s of GET requests at once
> to the endpoint, and share the script to another user, and when he
> donwloads 100 files at once, it shall also consume his disk space
New description:
[Marked as No Impact By WordPress Hackerone Team]
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to
execute unwanted actions on a web application in which they’re currently
authenticated. With a little help of social engineering (such as sending a
link via email or chat), an attacker may trick the users of a web
application into executing actions of the attacker’s choosing
Steps To Reproduce:
1. Login to WordPress Backend as an Admin
2. Go-to Tools > Export > Select what to export
3. Select the Data you want to export. Capture this request using a web-
proxy like BurpSuite
4. Since this is a GET request, Copy the URL to which request is made.
5. Send this URL to another admin or user with equal rights.
6. When he clicks on the URL, he shall download the file automatically.
The endpoint vulnerable:
`http://<your_wp.com>/wp-
admin/export.php?download=true&content=all&cat=0&post_author=2&post_start_date=0&post_end_date=0&post_status=0&page_author=0&page_start_date=0&page_end_date=0&page_status=0&attachment_start_date=0&attachment_end_date=0&submit=Download+Export+File`
Recommendations
Enforce CSRF protection like wpNonce Token for file export endpoint.
Impact
Unauthorised File Download on an administrator's PC
An attacker can write a script which sends 100s of GET requests at once to
the endpoint, and share the script to another user, and when he downloads
100 files at once, it shall also consume his disk space
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57451#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list