Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Data Manipulation with X-Forwarded-For header at WordPress

From: Alphan YAVAS <alphan.yv () gmail com>
Date: Tue, 9 Mar 2021 13:18:08 +0300
I. VULNERABILITY
-------------------------
Data Manipulation with X-Forwarded-For header at WordPress

II. CVE REFERENCE
-------------------------
CVE-2020-35539

III. VENDOR
-------------------------
https://wordpress.org

IV. TIMELINE
-------------------------
20/12/2020 Vulnerability discovered
21/12/2020 Vendor contacted
09/03/2021 CVE Assigned

V. CREDIT
-------------------------
Alphan Yavas

VI. DESCRIPTION
-------------------------
"X-Forwarded-For" is a HTTP header used to carry the client's original
IP address. However, because these headers may very well be added by
the client to the requests, if the systems/devices use IP addresses
which decelerate at X-Forwarded-For header instead of original IP,
various issues may be faced. If the data originating from these fields
is trusted by the application developers and processed, any
authorization checks originating IP address logging could be
manipulated.

VII. PROOF OF CONCEPT
-------------------------
Affected Component: Wordpress core
Affected version Wordpress 5.1

-Add X-Forwarded-For header to the /wp-admin
-You will get an error about your IP
-Next go /wp-admin/admin-ajax.php and add X-Forwarded-For header again

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: