Project: Github szepeviktor/wordpress-fail2ban 20190130

Vulnerability: #9250213 (2019-01-30 20:53:37)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::printf
Risk _SERVER
/wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:780 (show/hide source)
760          $expire              = time() + 3600;
761          $token               = substr( hash_hmac( 'sha256', (string) rand(), 'token' ), 0, 43 );
762          $hash                = hash_hmac( 'sha256', (string) rand(), 'hash' );
763          $auth_cookie         = $username . '|' . $expire . '|' . $token . '|' . $hash;
764          $authcookie_name     = 'wordpress_' . md5( 'authcookie' );
765          $loggedincookie_name = 'wordpress_logged_in_' . md5( 'cookiehash' );
766  
767          header( 'Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate' );
768          header( 'X-Robots-Tag: noindex, nofollow' );
769          setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp_content/plugins', '', false, true );
770          setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp-admin', '', false, true );
771          setcookie( $loggedincookie_name, $auth_cookie, $expire, '/', '', false, true );
772  
773          header( 'Location: http://' . $server_name . '/brake/wp-admin/' );
774      }
775  
776      private function fake_xmlrpc() {
777  
778          $server_name = isset( $_SERVER['SERVER_NAME'] )
779              ? $_SERVER['SERVER_NAME']
780 : $_SERVER['HTTP_HOST'];
781 782 header( 'Connection: Close' );
Threat level 0

Callstack:

O1\Bad_Request::fake_xmlrpc /wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:808 (show/hide source)
788              '<?xml version="1.0" encoding="UTF-8"?>
789  <methodResponse>
790    <params>
791      <param>
792        <value>
793        <array><data>
794    <value><struct>
795    <member><name>isAdmin</name><value><boolean>1</boolean></value></member>
796    <member><name>url</name><value><string>http://%s/</string></value></member>
797    <member><name>blogid</name><value><string>1</string></value></member>
798    <member><name>blogName</name><value><string>brake</string></value></member>
799    <member><name>xmlrpc</name><value><string>http://%s/brake/xmlrpc.php</string></value></member>
800  </struct></value>
801  </data></array>
802        </value>
803      </param>
804    </params>
805  </methodResponse>
806  ',
807              $server_name,
808 $server_name
809 ); // WPCS: XSS ok. 810 }
O1\Bad_Request::trigger /wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:723 (show/hide source)
703          // Trigger Miniban
704          if ( class_exists( '\Miniban' ) && $this->instant_trigger ) {
705              if ( true !== \Miniban::ban() ) {
706                  // phpcs:set WordPress.PHP.DevelopmentFunctions exclude error_log
707                  error_log( 'Miniban operation failed.' );
708              }
709          }
710  
711          // Trigger fail2ban
712          if ( $this->instant_trigger ) {
713              $this->enhanced_error_log( $this->prefix_instant . $this->result, 'crit' );
714          } else {
715              $this->enhanced_error_log( $this->prefix . $this->result );
716          }
717  
718          ob_get_level() && ob_end_clean();
719          if ( $this->is_options_method ) {
720              $this->disable_options_method();
721  
722          } elseif ( $this->is_xmlrpc ) {
723 $this->fake_xmlrpc();
724 725 } elseif ( ! headers_sent() ) {
O1\Bad_Request::__construct /wordpress-fail2ban-master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php:182 (show/hide source)
162              || empty( $_SERVER['REQUEST_URI'] )
163          ) {
164              $this->prefix          = 'Server configuration error: ';
165              $this->instant_trigger = false;
166              $this->result          = 'bad_request_superglobal';
167              $this->trigger();
168              exit;
169          }
170  
171          // Don't run on local access
172          if ( $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR'] ) { // WPCS: input var okay.
173              return;
174          }
175  
176          $this->read_constants();
177  
178          $this->result = $this->check();
179  
180          // "false" means there were no bad requests
181          if ( false !== $this->result ) {
182 $this->trigger();
183 exit; 184 }