关联漏洞
标题:WordPress Plugin LearnDash LMS 安全漏洞 (CVE-2024-1209)Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin LearnDash LMS 4.10.1及之前版本存在安全漏洞,该漏洞源于对上传作业的保护不足,容易通过直接文件访问泄露敏感信息,未经身份验证的攻击者可以获取这些上传内容。
Description
Sensitive Information Exposure via assignments in LearnDash.
介绍
# CVE-2024-1209
*Sensitive Information Exposure via assignments in LearnDash. Unauthenticated visitors can browse and download uploaded assignments.*
- Vulnerability: [CVE-2024-1209](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sfwd-lms/learndash-lms-4101-sensitive-information-exposure-via-assignments) Sensitive Information Exposure via assignments
- CVSS: 5.3 (Medium)
- Software: LearnDash (sfwd-lms)
- Affected versions: <= 4.10.1
- Patched version: 4.10.2 (partially), 4.10.3 (fully)
- Developer: LearnDash
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-02-05
- Last updated: 2024-02-05
## Overview
Anyone, including unauthenticated visitors, can see all uploaded LearnDash assignments. Since the assignments are public, anyone who knows about this vulnerability can read the uploaded documents (causing potential GDPR incidents). The vulnerability can be exploited without having an account on the website.
## Background information
LearnDash is a Learning Management System plugin for WordPress.
The affected versions of LearnDash (<=4.10.1) store uploaded assignment files in folders without access protection. When a user uploads an assignment file, LearnDash puts the file in /wp-content/uploads/assignments/. The file keeps its original name, though it is prefixed with the post ID from where it was uploaded and the Unix time stamp.
LearnDash has three REST APIs: /wp/v2/, /ldlms/v1/, and /ldlms/v2/ (currently in beta). All APIs, including the beta API, are enabled by default. The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled for specific post types using the learndash_rest_api_enabled filter (see class-ld-rest-api.php).
## Vulnerability
Anyone, including unauthenticated visitors, can download any uploaded assignment file by just knowing the file’s name.
LearnDash appends a time stamp to every uploaded file’s name to make it harder to guess the name, but timestamps are brute-forceable. Unfortunately, an unauthenticated visitor who wants to read uploaded assignments doesn’t even have to brute-force any file names. The affected versions of LearnDash (<=4.10.1) publish all submitted assignments for unauthenticated visitors over the REST API. All a visitor has to do is to call the endpoint for sfwd-assignment over the /wp/v2/ REST API. The reply includes paths to the uploaded files, and the visitor can download them without signing in.
```
https://example.com/wp-json/wp/v2/sfwd-assignment
```
## Patches
LearnDash 4.10.2 was released on 2024-01-08. It addressed the issue with assignment file paths leaking through the REST API. CVE-2024-1208 and CVE-2024-1210 persisted.
LearnDash 4.10.3 was released on 2024-01-31. It moved the file storage location to a protected folder and introduced dynamic download links to prohibit unauthorized access.
## Timeline
- 2023-12-25 I reported CVE-2024-1208, CVE-2024-1209 and CVE-2024-1210 to LearnDash’s support (according to Project Zero’s 90-day responsible disclosure policy). I included all three vulnerabilities in the same report. The vulnerabilities were later broken up and assigned three different CVE IDs by Wordfence.
- 2023-12-25 I submitted the vulnerability to Wordfence’s CNA. I declined participating in their bug-bounty program.
- 2023-12-27 LearnDash’s support replied and confirmed they had passed the report to the developers.
- 2024-01-03 LearnDash confirmed the vulnerability.
- 2024-01-04 LearnDash reached out to let me know they would prioritize fixing the assignments vulnerability.
- 2024-01-08 LearnDash released LearnDash 4.10.2, partially addressing CVE-2024-1209 by no longer exposing all uploaded assignments through the REST API. CVE-2024-1208 and CVE-2024-1210 persisted.
- 2024-01-31 LearnDash released LearnDash 4.10.3, successfully addressing the remaining parts of all three vulnerabilities.
- 2024-02-02 Wordfence added the vulnerability to the CVE database.
- 2024-02-05 I published this report.
LearnDash handled the vulnerability report well and addressed the vulnerability within the 90-day responsible disclosure window.
文件快照
[4.0K] /data/pocs/d1655f960f17951ef03fd4be8041e3eb46e784da
└── [4.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。