Project: Github szepeviktor/wordpress-fail2ban 20190130

Vulnerability: #9250207 (2019-01-30 20:53:36)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::setcookie
Risk _POST
/wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:759 (show/hide source)
739          header( 'Connection: Close' );
740          header( 'Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate' );
741          header( 'X-Robots-Tag: noindex, nofollow' );
742          header( 'Content-Length: 0' );
743      }
744  
745      private function disable_options_method() {
746  
747          header( 'Status: 405 Method Not Allowed' );
748          header( 'HTTP/1.1 405 Method Not Allowed', true, 405 );
749  
750          header( 'Allow: GET, POST, HEAD' );
751          header( 'Content-Length: 0' );
752      }
753  
754      private function fake_wplogin() {
755  
756          $server_name         = isset( $_SERVER['SERVER_NAME'] )
757              ? $_SERVER['SERVER_NAME']
758              : $_SERVER['HTTP_HOST'];
759 $username = trim( $_POST['log'] );
760 $expire = time() + 3600; 761 $token = substr( hash_hmac( 'sha256', (string) rand(), 'token' ), 0, 43 );
Threat level 1

Callstack:

O1\Bad_Request::fake_wplogin /wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:769 (show/hide source)
749  
750          header( 'Allow: GET, POST, HEAD' );
751          header( 'Content-Length: 0' );
752      }
753  
754      private function fake_wplogin() {
755  
756          $server_name         = isset( $_SERVER['SERVER_NAME'] )
757              ? $_SERVER['SERVER_NAME']
758              : $_SERVER['HTTP_HOST'];
759          $username            = trim( $_POST['log'] );
760          $expire              = time() + 3600;
761          $token               = substr( hash_hmac( 'sha256', (string) rand(), 'token' ), 0, 43 );
762          $hash                = hash_hmac( 'sha256', (string) rand(), 'hash' );
763          $auth_cookie         = $username . '|' . $expire . '|' . $token . '|' . $hash;
764          $authcookie_name     = 'wordpress_' . md5( 'authcookie' );
765          $loggedincookie_name = 'wordpress_logged_in_' . md5( 'cookiehash' );
766  
767          header( 'Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate' );
768          header( 'X-Robots-Tag: noindex, nofollow' );
769 setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp_content/plugins', '', false, true );
770 setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp-admin', '', false, true ); 771 setcookie( $loggedincookie_name, $auth_cookie, $expire, '/', '', false, true );
O1\Bad_Request::trigger /wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:727 (show/hide source)
707                  error_log( 'Miniban operation failed.' );
708              }
709          }
710  
711          // Trigger fail2ban
712          if ( $this->instant_trigger ) {
713              $this->enhanced_error_log( $this->prefix_instant . $this->result, 'crit' );
714          } else {
715              $this->enhanced_error_log( $this->prefix . $this->result );
716          }
717  
718          ob_get_level() && ob_end_clean();
719          if ( $this->is_options_method ) {
720              $this->disable_options_method();
721  
722          } elseif ( $this->is_xmlrpc ) {
723              $this->fake_xmlrpc();
724  
725          } elseif ( ! headers_sent() ) {
726              if ( $this->is_login && ! empty( $_POST['log'] ) ) {
727 $this->fake_wplogin();
728 } else { 729 $this->ban();
O1\Bad_Request::__construct /wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:167 (show/hide source)
147      public function __construct() {
148  
149          // Don't run on CLI
150          // Don't run on install or upgrade
151          // WP_INSTALLING is available even before wp-config.php
152          if ( 'cli' === php_sapi_name()
153              || ( defined( 'WP_INSTALLING' ) && WP_INSTALLING )
154          ) {
155              return;
156          }
157  
158          if ( empty( $_SERVER['SERVER_ADDR'] )
159              || empty( $_SERVER['REMOTE_ADDR'] )
160              || empty( $_SERVER['REMOTE_PORT'] )
161              || empty( $_SERVER['REQUEST_METHOD'] )
162              || empty( $_SERVER['REQUEST_URI'] )
163          ) {
164              $this->prefix          = 'Server configuration error: ';
165              $this->instant_trigger = false;
166              $this->result          = 'bad_request_superglobal';
167 $this->trigger();
168 exit; 169 }