Summary
For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user.
That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses.
Specifically, the metadata API endpoint 169.254.169.254 of common cloud providers like AWS, Google Cloud, and others is at risk. While that exact IP address is already filtered, other notations like decimal or hex notations, or hostnames returning that IP, are not.
Details
The PoC requires a WordPress user role of Author or higher (to which the tablepress_import_tables access capability is assigned), as only these can use the import feature.
PoC
- Go to the TablePress "Import" screen.
- Choose the "URL" import source.
- Use an Import URL like
http://host/latest/meta-data/, with host being having an DNS A record of 169.254.169.254.
- If the site is hosted on a common cloud provider's infrastructure, that endpoint's data will be parsed as a CSV file and shown, if it is available.
Impact
On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials.
Notably, cloud providers are more and more protecting this API endpoint by also requiring a special HTTP header to be present during the request. Also, only GET requests are possible with this method, further limiting the risk. Given that most WordPress sites are not hosted on dedicated cloud provider setups, the overall impact of this issue is low.
Summary
For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user.
That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses.
Specifically, the metadata API endpoint
169.254.169.254of common cloud providers like AWS, Google Cloud, and others is at risk. While that exact IP address is already filtered, other notations like decimal or hex notations, or hostnames returning that IP, are not.Details
The PoC requires a WordPress user role of Author or higher (to which the
tablepress_import_tablesaccess capability is assigned), as only these can use the import feature.PoC
http://host/latest/meta-data/, withhostbeing having an DNSArecord of169.254.169.254.Impact
On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials.
Notably, cloud providers are more and more protecting this API endpoint by also requiring a special HTTP header to be present during the request. Also, only GET requests are possible with this method, further limiting the risk. Given that most WordPress sites are not hosted on dedicated cloud provider setups, the overall impact of this issue is low.