Time spent: 5 hours spent in total
Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress
- (Required) CVE-2015-3440 - Unauthenticated Stored Cross-Site Scripting
- Summary:
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.2.1
- GIF Walkthrough:
- Steps to recreate:
- Use an account that is allowed to post comments to the affected site.
- Post a comment that contains XSS injection content followed by at least 64 kilobytes of text.
- WordPress will truncate the comment, leading to malformed HTML, including injected content, being generated on the site.
- Affected source code:
- (Required) CVE-2017-6814 - Authenticated XSS via Media File Metadata
- Summary:
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.2.13
- GIF Walkthrough:
- Steps to recreate:
- Create an MP3 file with payload as an ID3 attribute (e.g., Track Title)
- Using an editor or administrator account, upload the MP3 file to affected site's media library.
- Insert an audio playlist containing the file into a post.
- The payload will execute when the post renders.
- Affected source code:
- (Required) CVE-2018-12895 - Authenticated Arbitrary File Deletion
- Summary:
- Vulnerability types: Path Traversal / Other
- Tested in version: 4.2
- Fixed in version: 4.2.21
- GIF Walkthrough:
- Steps to recreate:
- As an authorized user, upload an image to the affected site's media library.
- Click the "edit" link and note the image's ID as well as the _wpnonce value in the edit page form.
- Submit a request to the post.php page with the POST parameters: action=editattachment, _wpnonce=value obtained earlier, thumb= the path to a file on the server (e.g., ../../../../wp-config.php for the wp-config file)
- Locate _wpnonce for deleting the media, and submit a request to post.php with the POST parameters: action=delete, _wpnonce=value obtained from page
- The file specified in the thumb parameter will be deleted.
- Affected source code:
Assets used for each vulnerability can be found in their folders:
GIFs created with LiceCap.
The biggest challenge was using LiceCap, because 8 FPS gifs make me sad.
Copyright 2018 Zachary Henkel
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.