Shulou(Shulou.com)05/31 Report--

How to analyze WordPress-5.1.1-CSRF-To-RCE security events, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

0x01 Overview 1.1 Preface

On March 13, 2019, RIPS released another WordPress CSRF, while WordPress officials also submitted the corresponding Commit, which is a relatively new hole. The problem lies in the comments of the article, in fact, there is an anti-CSRF corresponding wpnonce, people who are familiar with wp will certainly not be strange to wpnonce, this is wp's defense mechanism, action and postid composed of token, used to verify reference, and wordpress on the tag filtering mechanism is relatively strict. The whitelist mechanism, such as the a tag, is listed as:

It seems to be relatively strict, the basic driven label can not appear, can not be inserted into the js. The interesting thing is that the combination of two filter for comments results in the escape of the attributes in the a tag. RIPS article also said relatively simple, and then look at the specific implementation process, in fact, there are utilization conditions, RIPS also did not point out, in summary, detailed description.

1.2 background introduction

1.2.1 vulnerability description

The vulnerability exists in versions of WordPress prior to 5.1.1 and can be exploited using default settings.

According to its official download page of WordPress, more than 33% of Internet sites are using WordPress. Article comments are a core feature of blogs and are enabled by default, and the vulnerability can affect millions of websites.

1.2.2 affected version

WordPress

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.