Project: Github szepeviktor/wordpress-fail2ban 20190130

Vulnerability: #9250212 (2019-01-30 20:53:37)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_put_contents
Risk _FILES
/wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:301 (show/hide source)
281              && 'POST' === $request_method
282              && false !== strpos( $request_path, '/customer/account/createpost' )
283              && isset( $_SERVER['HTTP_CF_RAY'] ) // Cloudflare request
284          ) {
285              if ( empty( $_POST ) ) {
286                  // phpcs:ignore WordPress.VIP.RestrictedFunctions
287                  $request_data = file_get_contents( 'php://input' );
288              } else {
289                  $request_data = $_POST;
290              }
291              $dump_file = sprintf(
292                  '%s/request-at-%s-from-%s.json',
293                  sys_get_temp_dir(),
294                  time(),
295                  $_SERVER['REMOTE_ADDR']
296              );
297              $dump      = json_encode(
298                  array(
299                      'headers' => $this->apache_request_headers(),
300                      'request' => $request_data,
301 'files' => $_FILES,
302 ), 303 JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE
Threat level 0

Callstack:

O1\Bad_Request::check /wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:306 (show/hide source)
286                  // phpcs:ignore WordPress.VIP.RestrictedFunctions
287                  $request_data = file_get_contents( 'php://input' );
288              } else {
289                  $request_data = $_POST;
290              }
291              $dump_file = sprintf(
292                  '%s/request-at-%s-from-%s.json',
293                  sys_get_temp_dir(),
294                  time(),
295                  $_SERVER['REMOTE_ADDR']
296              );
297              $dump      = json_encode(
298                  array(
299                      'headers' => $this->apache_request_headers(),
300                      'request' => $request_data,
301                      'files'   => $_FILES,
302                  ),
303                  JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE
304              );
305              // phpcs:ignore WordPress.VIP.FileSystemWritesDisallow
306 file_put_contents( $dump_file, $dump, FILE_APPEND | LOCK_EX );
307 } 308
O1\Bad_Request::__construct /wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:178 (show/hide source)
158          if ( empty( $_SERVER['SERVER_ADDR'] )
159              || empty( $_SERVER['REMOTE_ADDR'] )
160              || empty( $_SERVER['REMOTE_PORT'] )
161              || empty( $_SERVER['REQUEST_METHOD'] )
162              || empty( $_SERVER['REQUEST_URI'] )
163          ) {
164              $this->prefix          = 'Server configuration error: ';
165              $this->instant_trigger = false;
166              $this->result          = 'bad_request_superglobal';
167              $this->trigger();
168              exit;
169          }
170  
171          // Don't run on local access
172          if ( $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR'] ) { // WPCS: input var okay.
173              return;
174          }
175  
176          $this->read_constants();
177  
178 $this->result = $this->check();
179 180 // "false" means there were no bad requests