When the user uploads a file, it will be converted to HTML and posted on the site. In addition, there is no input validation on the post_attachments_in_ comment_form() function, which allows attackers to inject HTML by persuading the user to upload a file with specially crafted name. For example, if an attacker uploads a file named /etc/passwd, the post_attachments_in_ comment_form() function will return the following HTML: form action="http://example.com/post.php" method="post" enctype="text/plain" target="_top"> input type="file" name="post_attachments"> /form> 【Caveat】 If the attacker wants to upload a file with a name such as /etc/passwd, he needs to ensure the filename ends in “.txt” or “.htm”. This issue is highly reproducible, because the post_attachments_in_ comment_form() function is called from the get_comment_form_ function() function, which is hooked in the comments_template_ functions_ order_by_comment_ time() function. Therefore, if the attacker can inject a malicious URL into the post_attachments_in_ comment_form() function, he can get the return value of that function as HTML and inject it into the comments_template_ functions_ order_by_

API endpoint example http://example.com/wp-admin/post.php?post_attachments_in_ comment_form=%2Fetc%2Fpasswd

WordPress does not have a mechanism for filtering the post attachments in comment form data that is stored in database and POST to WP API endpoint. This allows attackers to inject HTML by persuading the user to upload a file with specially crafted name. For example, if an attacker uploads a file named /etc/passwd, the post attachments in comment form will return the following HTML: form action="http://example.com/post-attachments.php" method="post" enctype="text/plain" target="_top"> input type="file" name="post_attachments"> /form> 【Caveat】 If the attacker wants to upload a file with a name such as /etc/passwd, he needs to ensure the filename ends in “.txt” or “.htm”. This issue is highly reproducible, because the post attachments in comment form function is called from get_comment() function which is hooked in comments_template functions order by comment time() function. Therefore, if the attacker can inject malicious URL into get_comment() function, he can get the return value of that function as HTML and inject it into comments_template functions order by comment time()

Bug Description

The issue is caused by the post_attachments_in_ comment_form() function which allows attackers to inject HTML by persuading the user to upload a file with specially crafted name. The vulnerability occurs when the user wants to upload a file attached to their comment. Successful exploitation of this vulnerability would result in taking control of a website that uses the vulnerable setup.

Operation Scenarios

The following two operations demonstrate how to exploit the vulnerability.
 1. An attacker could use a malicious URL to get the return value of the post_attachments_in_ comment_form() function as HTML and inject it into the comments_template_ functions_ order_by_comment_ time() function.
 2. Alternatively, an attacker can create a file and upload it using this vulnerability. If he does not want to use a malicious URL, then he should ensure that his filename ends in “.txt” or “.htm”.

Timeline

Published on: 11/22/2022 00:15:00 UTC
Last modified on: 11/22/2022 15:10:00 UTC

References