Summary
For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user.
That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses.
Specifically, the metadata API endpoint 169.254.169.254
of common cloud providers like AWS, Google Cloud, and others is at risk. While that exact IP address is already filtered, other notations like decimal or hex notations, or hostnames returning that IP, are not.
Details
The PoC requires a WordPress user role of Author or higher (to which the tablepress_import_tables
access capability is assigned), as only these can use the import feature.
PoC
- Go to the TablePress "Import" screen.
- Choose the "URL" import source.
- Use an Import URL like
http://host/latest/meta-data/
, with host
being having an DNS A
record of 169.254.169.254
.
- If the site is hosted on a common cloud provider's infrastructure, that endpoint's data will be parsed as a CSV file and shown, if it is available.
Impact
On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials.
Notably, cloud providers are more and more protecting this API endpoint by also requiring a special HTTP header to be present during the request. Also, only GET requests are possible with this method, further limiting the risk. Given that most WordPress sites are not hosted on dedicated cloud provider setups, the overall impact of this issue is low.
Summary
For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user.
That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses.
Specifically, the metadata API endpoint
169.254.169.254
of common cloud providers like AWS, Google Cloud, and others is at risk. While that exact IP address is already filtered, other notations like decimal or hex notations, or hostnames returning that IP, are not.Details
The PoC requires a WordPress user role of Author or higher (to which the
tablepress_import_tables
access capability is assigned), as only these can use the import feature.PoC
http://host/latest/meta-data/
, withhost
being having an DNSA
record of169.254.169.254
.Impact
On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials.
Notably, cloud providers are more and more protecting this API endpoint by also requiring a special HTTP header to be present during the request. Also, only GET requests are possible with this method, further limiting the risk. Given that most WordPress sites are not hosted on dedicated cloud provider setups, the overall impact of this issue is low.