Project: Github szepeviktor/wordpress-fail2ban 20190130

Vulnerability: #9250219 (2019-01-30 20:53:37)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::printf
Risk _SERVER
/wordpress-fail2ban-master/non-wp-projects/xmlrpc.php:20 (show/hide source)
1  <?php
2  /*
3  Snippet Name: Trigger Fail2ban in non-WordPress projects and subdirectory installs.
4  Version: 0.5.0
5  Snippet URI: https://github.com/szepeviktor/wordpress-fail2ban
6  License: The MIT License (MIT)
7  Author: Viktor Szépe
8  */
9  
10  error_log( 'Break-in attempt detected: no_wp_here_xmlrpc' );
11  
12  ob_get_level() && ob_end_clean();
13  fake_xmlrpc();
14  exit;
15  
16  function fake_xmlrpc() {
17  
18      $server_name = isset( $_SERVER['SERVER_NAME'] )
19          ? $_SERVER['SERVER_NAME']
20 : $_SERVER['HTTP_HOST'];
21 22 header( 'Connection: Close' );
Threat level 0

Callstack:

@FUNCTION::fake_xmlrpc /wordpress-fail2ban-master/non-wp-projects/xmlrpc.php:47 (show/hide source)
27      printf( '<?xml version="1.0" encoding="UTF-8"?>
28  <methodResponse>
29    <params>
30      <param>
31        <value>
32        <array><data>
33    <value><struct>
34    <member><name>isAdmin</name><value><boolean>1</boolean></value></member>
35    <member><name>url</name><value><string>http://%s/</string></value></member>
36    <member><name>blogid</name><value><string>1</string></value></member>
37    <member><name>blogName</name><value><string>brake</string></value></member>
38    <member><name>xmlrpc</name><value><string>http://%s/brake/xmlrpc.php</string></value></member>
39  </struct></value>
40  </data></array>
41        </value>
42      </param>
43    </params>
44  </methodResponse>
45  ',
46          $server_name,
47 $server_name
48 ); 49 }
@INLINE::/wordpress-fail2ban-master/non-wp-projects/xmlrpc.php /wordpress-fail2ban-master/non-wp-projects/xmlrpc.php:13 (show/hide source)
1  <?php
2  /*
3  Snippet Name: Trigger Fail2ban in non-WordPress projects and subdirectory installs.
4  Version: 0.5.0
5  Snippet URI: https://github.com/szepeviktor/wordpress-fail2ban
6  License: The MIT License (MIT)
7  Author: Viktor Szépe
8  */
9  
10  error_log( 'Break-in attempt detected: no_wp_here_xmlrpc' );
11  
12  ob_get_level() && ob_end_clean();
13 fake_xmlrpc();
14 exit; 15