lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Mar 2021 13:18:08 +0300
From: Alphan YAVAS <alphan.yv@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] Data Manipulation with X-Forwarded-For header at WordPress

I. VULNERABILITY
-------------------------
Data Manipulation with X-Forwarded-For header at WordPress

II. CVE REFERENCE
-------------------------
CVE-2020-35539

III. VENDOR
-------------------------
https://wordpress.org

IV. TIMELINE
-------------------------
20/12/2020 Vulnerability discovered
21/12/2020 Vendor contacted
09/03/2021 CVE Assigned

V. CREDIT
-------------------------
Alphan Yavas

VI. DESCRIPTION
-------------------------
"X-Forwarded-For" is a HTTP header used to carry the client's original
IP address. However, because these headers may very well be added by
the client to the requests, if the systems/devices use IP addresses
which decelerate at X-Forwarded-For header instead of original IP,
various issues may be faced. If the data originating from these fields
is trusted by the application developers and processed, any
authorization checks originating IP address logging could be
manipulated.

VII. PROOF OF CONCEPT
-------------------------
Affected Component: Wordpress core
Affected version Wordpress 5.1

-Add X-Forwarded-For header to the /wp-admin
-You will get an error about your IP
-Next go /wp-admin/admin-ajax.php and add X-Forwarded-For header again

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists