Project: Github szepeviktor/wordpress-fail2ban 20190130

Vulnerability: #9250228 (2019-01-30 20:53:41)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::setcookie
Risk _POST
/wordpress-fail2ban-master/mu-plugin/wp-fail2ban-mu-instant.php:272 (show/hide source) 
252          }
253  
254      }
255  
256      private function ban() {
257  
258          header( 'Status: 403 Forbidden' );
259          header( 'HTTP/1.1 403 Forbidden', true, 403 );
260          header( 'Connection: Close' );
261          header( 'Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate' );
262          header( 'X-Robots-Tag: noindex, nofollow' );
263          header( 'Content-Type: text/html' );
264          header( 'Content-Length: 0' );
265      }
266  
267      private function fake_wplogin() {
268  
269          $server_name         = isset( $_SERVER['SERVER_NAME'] )
270              ? $_SERVER['SERVER_NAME']
271              : $_SERVER['HTTP_HOST'];

272          $username            = trim( $_POST['log'] );

273          $expire              = time() + 3600;
274          $token               = substr( hash_hmac( 'sha256', (string) rand(), 'token' ), 0, 43 );
Threat level 1

Callstack:

O1\WP_Fail2ban::fake_wplogin /wordpress-fail2ban-master/mu-plugin/wp-fail2ban-mu-instant.php:282 (show/hide source) 
262          header( 'X-Robots-Tag: noindex, nofollow' );
263          header( 'Content-Type: text/html' );
264          header( 'Content-Length: 0' );
265      }
266  
267      private function fake_wplogin() {
268  
269          $server_name         = isset( $_SERVER['SERVER_NAME'] )
270              ? $_SERVER['SERVER_NAME']
271              : $_SERVER['HTTP_HOST'];
272          $username            = trim( $_POST['log'] );
273          $expire              = time() + 3600;
274          $token               = substr( hash_hmac( 'sha256', (string) rand(), 'token' ), 0, 43 );
275          $hash                = hash_hmac( 'sha256', (string) rand(), 'hash' );
276          $auth_cookie         = $username . '|' . $expire . '|' . $token . '|' . $hash;
277          $authcookie_name     = 'wordpress_' . md5( 'authcookie' );
278          $loggedincookie_name = 'wordpress_logged_in_' . md5( 'cookiehash' );
279  
280          header( 'Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate' );
281          header( 'X-Robots-Tag: noindex, nofollow' );

282          setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp_content/plugins', '', false, true );

283          setcookie( $authcookie_name, $auth_cookie, $expire, '/brake/wp-admin', '', false, true );
284          setcookie( $loggedincookie_name, $auth_cookie, $expire, '/', '', false, true );
O1\WP_Fail2ban::trigger_instant /wordpress-fail2ban-master/mu-plugin/wp-fail2ban-mu-instant.php:206 (show/hide source) 
186  
187          // Trigger Miniban at first
188          if ( class_exists( '\Miniban' ) ) {
189              if ( true !== \Miniban::ban() ) {
190                  $this->enhanced_error_log( 'Miniban operation failed.' );
191              }
192          }
193  
194          $this->trigger( $slug, $message, $level, $this->prefix_instant );
195  
196          // Remove session
197          remove_action( 'wp_logout', array( $this, 'logout' ) );
198          wp_logout();
199  
200          // Respond
201          ob_get_level() && ob_end_clean();
202          if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
203              $this->fake_xmlrpc();
204          } elseif ( ! headers_sent() ) {
205              if ( 'wp-login.php' === $GLOBALS['pagenow'] && ! empty( $_POST['log'] ) ) {

206                  $this->fake_wplogin();

207              } else {
208                  $this->ban();
O1\WP_Fail2ban::unknown_action /wordpress-fail2ban-master/mu-plugin/wp-fail2ban-mu-instant.php:704 (show/hide source) 
684          // Check tag first to speed things up
685          if ( 'wp_ajax_' === substr( $tag, 0, 8 )
686              || 'admin_post_' === substr( $tag, 0, 11 )
687          ) {
688              global $wp_actions;
689              global $wp_filter;
690  
691              $whitelisted_actions = array(
692                  'wp_ajax_nopriv_wp-remove-post-lock',
693                  'wp_ajax_nopriv_SimpleHistoryNewRowsNotifier',
694              );
695  
696              // Actions only, not filters, not registered ones, except whitelisted ones
697              // Actions are basically filters
698              if ( is_array( $wp_actions )
699                  && array_key_exists( $tag, $wp_actions )
700                  && is_array( $wp_filter )
701                  && ! array_key_exists( $tag, $wp_filter )
702                  && ! in_array( $tag, $whitelisted_actions, true )
703              ) {

704                  $this->trigger_instant( 'wpf2b_admin_action_unknown', $tag );

705              }
706          }
Donations: BTC: 3Ad7PMcMXD5jAbCVhPVzhwPxiyQ5u141UT ETH: 0x8986ebDE686FEF47C724320EEE0C39B7C0fBf7f1 XMR: 46Fu9dwcPuDXZD5yqzqD7Y8VUBdGCscgCbVEeNSnS67zRu2hRhBMyi1KR3LAsisSXhaMNk9mihfFQ7utVjfs562PReYAnpG

Copyright (C) 2018 by php-grinder.com