Associated Vulnerability
Title:WordPress 跨站请求伪造漏洞 (CVE-2019-9787)Description:WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 5.1.1之前版本中存在安全漏洞,该漏洞源于程序没有正确地过滤评论内容。远程攻击者可利用该漏洞执行代码并控制WordPress网站。
Description
This is a recurrence of cve-2019-9787 on Wordpress and a hash-based defense.
Readme
# Wordpress_cve-2019-9787_defense
## Notice
This is a project by Sijia Zhang(https://github.com/sijiahi) and Bowen Zhou(https://github.com/KonjakZhou)
## **Prerequisite:
### 1 Recurrence Attack:
- Configure and install Wordpress5.0 under http://localhost/wp-admin/;
- Log in Wordpress as admin, post at least one article;
- open mal.html(configured under another domain name, possibly directly open as file in browser),click submit request.
- If this works, you would be redirected to article page with "cilick me" comment, once you move your mouse over it, a prompt window indicating success attack would appear.
### 2 Defense:
-Replece files in /wp-includes, add js scripts in /wp-includes/js.
-Move the mock post file in WP rigion, open the mock post page to test PINGBACK/TRACEBACK function.
-If this worked, you will be redirected to article page with "legal anchor" comment;
-Open mal.com from anthor domain name,test CSRF attack.
## **Code modified:
- comment-template: js script added extract, calculate and add doggyNonce script;
- functions: PHP script added extract attribute script;
- pluggable: PHP script added verify doggyNonce script.
- comment: PHP script changed the request process logic.
## **This is a recurrence of cve-2019-9787 on Wordpress and a hash-based defense.
### 0 Intro:
To defend Wordpress against CVE-2019-9787, a new field called doggyNonce is introduced.
In cases where admin tries to adopt PINGBACK funxtion, and the _wp_unfiltered_html can not be provided, we asked admin to sign a signature on attributes of their uploaded Tags attributes with their cookie, this will enable us to defend CSRF attack and ensure and integrity of uploaded tag attributes.
### 1 Defense:
Wordpress automatically accept comment without correct CSRF-token as a PINFBACK and TRACEBACK request, filter that comment with a white-list filter, extract href field and reconstruct "a tag".
To defend this vulnerability, two key points are toke into account:
1. Server cannot distinguish illegal CSRF request from legal PINGBACK/TRACEBACK request.
2. CSRF Attacker inject their code in href field of "a Tag", Tag attribute changed after being filtered.
doggyNonce is a hash value depends on *cookie(wp-setting-time-$uid) and *uploaded href attrbute:
doggyNonce=Hash(*uploaded href attrbute,*cookie)
it should be notified that doggyNonce plays the role of admin's signature on uploaded href attribute.
## **Special reminder
1. 'mal.html' is to mock CSRF attack, and thus, is expected to be placed in a domain other than Wordpress;
2. 'post.html' is to mock PINGBACK/TRACEBACK function, and thus, is expected to be placed in a same domain as WP;
File Snapshot
[4.0K] /data/pocs/891ece5ce94fed40e895d8743cce2ba6a00d2986
├── [ 638] mal.html
├── [2.1K] post.html
├── [2.7K] README.md
└── [4.0K] wp-includes
├── [109K] comment.php
├── [ 89K] comment-template.php
├── [185K] functions.php
├── [4.0K] js
│ ├── [ 11K] md5.js
│ ├── [3.7K] md5.min.js
│ └── [7.2K] md5.min.js.map
└── [ 92K] pluggable.php
2 directories, 10 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.