[Challenge 7:] Wordpress Plugin - Cross-Site Request Forgery (CSRF)
IP ADDRESS: 172.19.19.6
OPERATING SYSTEM: Windows Server 2012
Tools Used:
- NMAP
- NESSUS
- WPSCAN
- METASPLOIT
Methodology:
NMAP
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 172.19.19.6
NESSUS
VIST SITE IN BROWSER
WPSCAN
METASPLOIT
ENTER METERPRETER SESSION
DOWNLOAD AND HASHFILE
Vulnerabilities and Recommendations:
PHP 5.4.x < 5.4.30 Multiple Vulnerabilities - The remote web server is running a version of PHP that is affected by multiple vulnerabilities.
Boundary checking errors exist related to the Fileinfo extension, Composite Document Format (CDF) handling and the functions 'cdf_read_short_sector', 'cdf_check_stream_offset', 'cdf_count_chain', and 'cdf_read_property_info'. (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487)
A pascal string size handling error exists related to the Fileinfo extension and the function 'mconvert'. (CVE-2014-3478)
A type-confusion error exists related to the Standard PHP Library (SPL) extension and the function 'unserialize'. (CVE-2014-3515)
An error exists related to configuration scripts and temporary file handling that could allow insecure file usage. (CVE-2014-3981)
A heap-based buffer overflow error exists related to the function 'dns_get_record' that could allow execution of arbitrary code. (CVE-2014-4049)
A type-confusion error exists related to the function 'php_print_info' that could allow disclosure of sensitive information. (CVE-2014-4721)
An out-of-bounds read error exists in the timelib_meridian_with_check() function due to a failure to properly check string ends. A remote attacker can exploit this to cause a denial of service condition or to disclose memory contents. (VulnDB 130082)
An out-of-bounds read error exists in the date_parse_from_format() function due to a failure in the date parsing routines to properly check string ends. A remote attacker can exploit this to cause a denial of service condition or to disclose memory contents. (VulnDB 130083)
- SOLUTION: Upgrade to PHP version 5.4.30 or later.
PHP 5.4.x < 5.4.5 _php_stream_scandir Overflow - An unspecified overflow vulnerability in the function '_php_stream_scandir' in the file 'main/streams/streams.c'
- SOLUTION: Upgrade to PHP version 5.4.5 or later.
Apache 2.4.x < 2.4.10 Multiple Vulnerabilities
A flaw exists in the 'mod_deflate' module when request body decompression is configured. This could allow a remote attacker to cause the server to consume significant resources. (CVE-2014-0118)
A flaw exists in the 'mod_status' module when a publicly accessible server status page is in place.
This could allow an attacker to send a specially crafted request designed to cause a heap buffer overflow. (CVE-2014-0226)
A flaw exists in the 'mod_cgid' module in which CGI scripts that did not consume standard input may be manipulated in order to cause child processes to hang. A remote attacker may be able to abuse this in order to cause a denial of service. (CVE-2014-0231)
A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when using the default AcceptFilter. An attacker may be able to specially craft requests that create a memory leak in the application and may eventually lead to a denial of service attack. (CVE-2014-3523)
- SOLUTION: Upgrade to Apache version 2.4.10 or later. Alternatively, ensure that the affected modules are not in use.