Skip to content
/ Wordpress_cve-2019-9787_defense Public

This is a recurrence of cve-2019-9787 on Wordpress and a hash-based defense.

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sijiahi/Wordpress_cve-2019-9787_defense

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
wp-includes
wp-includes
 
 
README.md
README.md
 
 
mal.html
mal.html
 
 
post.html
post.html
 
 

Repository files navigation

Wordpress_cve-2019-9787_defense

Notice

This is a project by Sijia Zhang(https://github.com/sijiahi) and Bowen Zhou(https://github.com/KonjakZhou)

**Prerequisite:

1 Recurrence Attack:

- Configure and install Wordpress5.0 under http://localhost/wp-admin/;
- Log in Wordpress as admin, post at least one article;
- open mal.html(configured under another domain name, possibly directly open as file in browser),click submit request.
- If this works, you would be redirected to article page with "cilick me" comment, once you move your mouse over it, a prompt window indicating success attack would appear.

2 Defense:

-Replece files in /wp-includes, add js scripts in /wp-includes/js.
-Move the mock post file in WP rigion, open the mock post page to test PINGBACK/TRACEBACK function.
-If this worked, you will be redirected to article page with "legal anchor" comment;
-Open mal.com from anthor domain name,test CSRF attack.

**Code modified:

  • comment-template: js script added extract, calculate and add doggyNonce script;
  • functions: PHP script added extract attribute script;
  • pluggable: PHP script added verify doggyNonce script.
  • comment: PHP script changed the request process logic.

**This is a recurrence of cve-2019-9787 on Wordpress and a hash-based defense.

0 Intro:

To defend Wordpress against CVE-2019-9787, a new field called doggyNonce is introduced. In cases where admin tries to adopt PINGBACK funxtion, and the _wp_unfiltered_html can not be provided, we asked admin to sign a signature on attributes of their uploaded Tags attributes with their cookie, this will enable us to defend CSRF attack and ensure and integrity of uploaded tag attributes.

1 Defense:

Wordpress automatically accept comment without correct CSRF-token as a PINFBACK and TRACEBACK request, filter that comment with a white-list filter, extract href field and reconstruct "a tag". To defend this vulnerability, two key points are toke into account: 1. Server cannot distinguish illegal CSRF request from legal PINGBACK/TRACEBACK request. 2. CSRF Attacker inject their code in href field of "a Tag", Tag attribute changed after being filtered. doggyNonce is a hash value depends on *cookie(wp-setting-time-$uid) and *uploaded href attrbute: doggyNonce=Hash(*uploaded href attrbute,*cookie) it should be notified that doggyNonce plays the role of admin's signature on uploaded href attribute.

**Special reminder

1. 'mal.html' is to mock CSRF attack, and thus, is expected to be placed in a domain other than Wordpress;
2. 'post.html' is to mock PINGBACK/TRACEBACK function, and thus, is expected to be placed in a same domain as WP;

About

This is a recurrence of cve-2019-9787 on Wordpress and a hash-based defense.

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages