Project: Github szepeviktor/wordpress-fail2ban 20190130

Vulnerability: #9250224 (2019-01-30 20:53:38)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::header
Risk _SERVER
/wordpress-fail2ban-master/non-wp-projects/wp-login.php:20 (show/hide source)
1  <?php
2  /*
3  Snippet Name: Trigger Fail2ban in non-WordPress projects and subdirectory installs.
4  Version: 0.4.0
5  Snippet URI: https://github.com/szepeviktor/wordpress-fail2ban
6  License: The MIT License (MIT)
7  Author: Viktor Szépe
8  */
9  
10  error_log( 'Break-in attempt detected: no_wp_here_wplogin' );
11  
12  ob_get_level() && ob_end_clean();
13  fake_wplogin();
14  exit;
15  
16  function fake_wplogin() {
17  
18      $server_name = isset( $_SERVER['SERVER_NAME'] )
19          ? $_SERVER['SERVER_NAME']
20 : $_SERVER['HTTP_HOST'];
21 $username = isset( $_POST['log'] ) ? trim( $_POST['log'] ) : 'admin'; 22 $expire = time() + 3600;
Threat level 0

Callstack:

@FUNCTION::fake_wplogin /wordpress-fail2ban-master/non-wp-projects/wp-login.php:36 (show/hide source)
16  function fake_wplogin() {
17  
18      $server_name = isset( $_SERVER['SERVER_NAME'] )
19          ? $_SERVER['SERVER_NAME']
20          : $_SERVER['HTTP_HOST'];
21      $username = isset( $_POST['log'] ) ? trim( $_POST['log'] ) : 'admin';
22      $expire = time() + 3600;
23      $token = substr( hash_hmac( 'sha256', rand(), 'token' ), 0, 43 );
24      $hash = hash_hmac( 'sha256', rand(), 'hash' );
25      $auth_cookie = $username . '|' . $expire . '|' . $token . '|' . $hash;
26      $authcookie_name = 'wordpress_' . md5( 'authcookie' );
27      $loggedincookie_name = 'wordpress_logged_in_' . md5( 'cookiehash' );
28  
29      header( 'Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate' );
30      header( 'X-Robots-Tag: noindex, nofollow' );
31      setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp_content/plugins', false, false, true );
32      setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp-admin', false, false, true );
33      setcookie( $loggedincookie_name, $auth_cookie, $expire, '/', false, false, true );
34      // Should return HTTP/400
35      $server_name = $_SERVER['SERVER_ADDR'];
36 header( 'Location: http://' . $server_name . '/brake/wp-admin/' );
37 }
@INLINE::/wordpress-fail2ban-master/non-wp-projects/wp-login.php /wordpress-fail2ban-master/non-wp-projects/wp-login.php:13 (show/hide source)
1  <?php
2  /*
3  Snippet Name: Trigger Fail2ban in non-WordPress projects and subdirectory installs.
4  Version: 0.4.0
5  Snippet URI: https://github.com/szepeviktor/wordpress-fail2ban
6  License: The MIT License (MIT)
7  Author: Viktor Szépe
8  */
9  
10  error_log( 'Break-in attempt detected: no_wp_here_wplogin' );
11  
12  ob_get_level() && ob_end_clean();
13 fake_wplogin();
14 exit; 15