| Title: Open proxy in Wordpress plugin google-adsense-and-hotel-booking v1.05 |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2015-08-15 |
| [CVE-2015-1000009] |
| Download Site: https://wordpress.org/plugins/google-adsense-and-hotel-booking/ |
| Vendor: |
| Vendor Notified: 2015-08-15 |
| Vendor Contact: |
| Advisory: http://www.vapidlabs.com/advisory.php?v=151http://www.vapidlabs.com/advisory.php?v=151 |
| Description: Automatically insert Google Adsense ads and Hotel Reservations. |
| Vulnerability: The code in ./plugin/google-adsense-and-hotel-booking/proxy.php allows an arbitrary user to proxy POST requests
though the host site. This may allow attackers to hide attacks, or DoS a site if the POST request is pointed back
at itself causing a loop:
3 $url = $_POST['url'];
4 ini_set("allow_url_fopen", 1);
5 $data = array();
6 while(list($n,$v) = each($_POST)){$data[] = "$n=$v";}
7 $data = implode('&', $data);
8 $url = parse_url($url);
9 $host = $url['host'];
10 $path = $url['path'];
11 $port = 80;
12 $data_length = strlen($data);
13 $header = "POST $path HTTP/1.0\r\n";
14 $header .= "Host: $host\r\n";
15 $header .= "User-Agent: DoCoMo/1.0/P503i\r\n";
16 $header .= "Content-type: application/x-www-form-urlencoded\r\n";
17 $header .= "Content-length: $data_length\r\n";
18 $header .= "\r\n";
19 $fp = fsockopen($host,$port,$err_num,$err_msg,120);
20 $response ='';
21 fputs($fp, $header . $data);
22 while(trim(fgets($fp,4096)) != '');//Retira o cabecalho HTTP
23 while(!feof($fp)){$response .= fgets($fp,4096);}
24 // close the socket connection:
25 fclose($fp);
26 echo $response;
|
| Export: JSON TEXT XML |
Exploit Code:
|
| Screen Shots: |
| Notes: |