There is SSRF vulnerability in plugin. Any user can exploit it, for example to identify open local prots.
Vulnerable action is - wp-downloadmanager/download-add.php
Vulnerable parameters is - file_remote
For example hacker can set http://127.0.0.1:3306 value in file_remote parameter and understand status of 3306 port. If port is open server will be waiting answer from service on 3306, else server return answer instantly
I was listening 3306 port on backend (127.0.0.1), and got requsest from the 127.0.0.1 server:
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 45588
GET / HTTP/1.0
Host: 127.0.0.1:3306
Connection: close
Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. It can help identify open ports, local network hosts and execute command on services (for example redis, by using gopher:// scheme)
Hi, support team!
There is
SSRF
vulnerability in plugin. Any user can exploit it, for example to identify open local prots.wp-downloadmanager/download-add.php
file_remote
For example hacker can set
http://127.0.0.1:3306
value infile_remote
parameter and understand status of 3306 port. If port is open server will be waiting answer from service on3306
, else server return answer instantlyPOC:
I was listening 3306 port on backend (127.0.0.1), and got requsest from the 127.0.0.1 server:
Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. It can help identify open ports, local network hosts and execute command on services (for example redis, by using gopher:// scheme)
To prevent vulnerability use next manual: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html