Project: Github szepeviktor/wordpress-fail2ban 20190130

Vulnerability: #9250222 (2019-01-30 20:53:38)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::setcookie
Risk _POST
/wordpress-fail2ban-master/non-wp-projects/wp-login.php:21 (show/hide source)
1  <?php
2  /*
3  Snippet Name: Trigger Fail2ban in non-WordPress projects and subdirectory installs.
4  Version: 0.4.0
5  Snippet URI: https://github.com/szepeviktor/wordpress-fail2ban
6  License: The MIT License (MIT)
7  Author: Viktor Szépe
8  */
9  
10  error_log( 'Break-in attempt detected: no_wp_here_wplogin' );
11  
12  ob_get_level() && ob_end_clean();
13  fake_wplogin();
14  exit;
15  
16  function fake_wplogin() {
17  
18      $server_name = isset( $_SERVER['SERVER_NAME'] )
19          ? $_SERVER['SERVER_NAME']
20          : $_SERVER['HTTP_HOST'];
21 $username = isset( $_POST['log'] ) ? trim( $_POST['log'] ) : 'admin';
22 $expire = time() + 3600; 23 $token = substr( hash_hmac( 'sha256', rand(), 'token' ), 0, 43 );
Threat level 1

Callstack:

@FUNCTION::fake_wplogin /wordpress-fail2ban-master/non-wp-projects/wp-login.php:32 (show/hide source)
12  ob_get_level() && ob_end_clean();
13  fake_wplogin();
14  exit;
15  
16  function fake_wplogin() {
17  
18      $server_name = isset( $_SERVER['SERVER_NAME'] )
19          ? $_SERVER['SERVER_NAME']
20          : $_SERVER['HTTP_HOST'];
21      $username = isset( $_POST['log'] ) ? trim( $_POST['log'] ) : 'admin';
22      $expire = time() + 3600;
23      $token = substr( hash_hmac( 'sha256', rand(), 'token' ), 0, 43 );
24      $hash = hash_hmac( 'sha256', rand(), 'hash' );
25      $auth_cookie = $username . '|' . $expire . '|' . $token . '|' . $hash;
26      $authcookie_name = 'wordpress_' . md5( 'authcookie' );
27      $loggedincookie_name = 'wordpress_logged_in_' . md5( 'cookiehash' );
28  
29      header( 'Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate' );
30      header( 'X-Robots-Tag: noindex, nofollow' );
31      setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp_content/plugins', false, false, true );
32 setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp-admin', false, false, true );
33 setcookie( $loggedincookie_name, $auth_cookie, $expire, '/', false, false, true ); 34 // Should return HTTP/400
@INLINE::/wordpress-fail2ban-master/non-wp-projects/wp-login.php /wordpress-fail2ban-master/non-wp-projects/wp-login.php:13 (show/hide source)
1  <?php
2  /*
3  Snippet Name: Trigger Fail2ban in non-WordPress projects and subdirectory installs.
4  Version: 0.4.0
5  Snippet URI: https://github.com/szepeviktor/wordpress-fail2ban
6  License: The MIT License (MIT)
7  Author: Viktor Szépe
8  */
9  
10  error_log( 'Break-in attempt detected: no_wp_here_wplogin' );
11  
12  ob_get_level() && ob_end_clean();
13 fake_wplogin();
14 exit; 15