CVE-2020-35539: Data Manipulation with X-Forwarded-For header at WordPress

Full Disclosure mailing list archives

From: Alphan YAVAS <alphan.yv () gmail com>
Date: Tue, 9 Mar 2021 13:18:08 +0300

I. VULNERABILITY

Data Manipulation with X-Forwarded-For header at WordPress

II. CVE REFERENCE

CVE-2020-35539

III. VENDOR

https://wordpress.org

IV. TIMELINE

20/12/2020 Vulnerability discovered 21/12/2020 Vendor contacted 09/03/2021 CVE Assigned

V. CREDIT

Alphan Yavas

VI. DESCRIPTION

“X-Forwarded-For” is a HTTP header used to carry the client’s original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X-Forwarded-For header instead of original IP, various issues may be faced. If the data originating from these fields is trusted by the application developers and processed, any authorization checks originating IP address logging could be manipulated.

VII. PROOF OF CONCEPT

Affected Component: Wordpress core Affected version Wordpress 5.1

-Add X-Forwarded-For header to the /wp-admin -You will get an error about your IP -Next go /wp-admin/admin-ajax.php and add X-Forwarded-For header again

_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

• Data Manipulation with X-Forwarded-For header at WordPress Alphan YAVAS (Mar 11)
  • Re: Data Manipulation with X-Forwarded-For header at WordPress jvoisin (Mar 16)