Try to reproduce this issue with Docker# Wordpress_CVE-2019-9787
Try to reproduce this issue with Docker with an auto install for wordpress
PoC of CVE-2019-9787 CSRF
WordPress Version up to 5.1
To demonstrate the full potential of CVE-2019-9787 you probably want a more nasty piece of code than the comment present in nginx/iframe-post.html. In my code I don't use the flaw in the Wordpress wp_filter_post_kses().
Do not use this except for test purpose.
# Installation using bash :
copy the repo :
>git clone https://github.com/matinciel/Wordpress_CVE-2019-9787.git
go to the directory
>cd Wordpress_CVE-2019-9787
launch the install, you need **docker 18.02.0 at least** (docker -v to check)
>make autoinstall
# Now you have installed :
Wordpress (with a default admin account log : wordpress / pass : wordpress).
You can access it with http://localhost
# if you want to reproduce the security issue :
## Hacker part
1. go to wordpress (do not connect as wordpress). http://localhost
2. Leave a comment on the Hello world! post (by clicking the "1 Comment link).
the comment should contain something like (only url is needed) :
>Please visit my blog : http://localhost:6060
## Wordpress owner (admin or editor role needed).
1. login in the wordpress "backend" by going to http://localhost/wp-admin
log : wordpress
password : wordpress
2. You should see a comment to validate in the comment section, just click on the link.
3. Go back to http://localhost/wp-admin : click on the comment tab, you should have a new comment already validted without any action from your side...
# Limitiation :
1. the malicious code in the iframe only works with the post ID=1 (Hello World!)
2. if a "hacked" comment is already validated, it does not work again
3. nonce protection seems not to be needed to make a comment validation (in other tutorial, it is needed because -maybe - you want to use a plugin / theme action ?)
4. As already said : to demonstrate the full potential of CVE-2019-9787 you probably want a more nasty piece of code than the comment present in nginx/iframe-post.html. In my code I don't use the flaw in the Wordpress wp_filter_post_kses().
# uninstall / retry / refresh :
To stop service
>docker-compose down
To delete all containers including its volumes use
>docker rm -vf $(docker ps -a -q)
To delete all the images
>docker rmi -f $(docker images -a -q)
Don't forget to delete the repository
>cd ..
>sudo sudo rm -Rf Wordpress_CVE_2019-9787
# Intial project copied/forked to make this happened :
For the wordpress auto install :
https://github.com/kassambara/wordpress-docker-compose
For the CVE proof of concept (without a autoinstall wordpress) :
https://github.com/rkatogit/cve-2019-9787_csrf_poc
If there is any (official) way to link those pages to this one please let me know, I use the fork on the second one but without knowing really what I was doing :-)
[4.0K] /data/pocs/208e998de1531bc536611688a3094777a826a835
├── [4.0K] config
│ └── [ 109] php.conf.ini
├── [2.4K] docker-compose.yml
├── [ 449] Makefile
├── [4.0K] mysql
├── [4.0K] nginx
│ ├── [ 257] iframe-post.html
│ └── [ 121] index.html
├── [2.9K] README.md
├── [1.6K] wp-auto-config.yml
└── [4.0K] wpcli
├── [ 490] Dockerfile
├── [ 715] entrypoint.sh
└── [ 435] Makefile
4 directories, 10 files