During testing of the plugin, a vulnerability was found that allows you to read and download a file with PHP logs without authorization
Main info:
| CVE | CVE-2023-6821 |
| Plugin | Error Log Viewer < 1.1.3 |
| Critical | Medium |
| All Time | 53 174 |
| Active installations | 5 000+ |
| Publicly Published | February 20, 2023 |
| Last Updated | February 20, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6821 https://wpscan.com/vulnerability/6b1a998d-c97c-4305-b12a-69e29408ebd9/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| December 6, 2023 | Plugin testing and vulnerability detection in the Error Log Viewer have been completed |
| December 6, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 3, 2023 | The author fixed the vulnerability and released the plugin update |
| February 21, 2023 | Registered CVE-2023-6821 |
Discovery of the Vulnerability
During routine testing of the Error Log Viewer plugin, a vulnerability was discovered that enables unauthorized access to sensitive data. By exploiting this flaw, attackers can gain access to PHP log files without proper authorization.
Understanding of Directory Listing attack’s
Directory listing vulnerabilities occur when a web server fails to restrict access to directory contents. In the case of WordPress, plugins like Error Log Viewer may inadvertently expose sensitive files by allowing directory listings. This means that anyone with the URL can view the contents of directories, including log files, without needing proper permissions. Real-world examples include attackers accessing PHP error logs containing sensitive information such as file paths, database credentials, and potentially even user data.
Exploiting the Directory Listing Vulnerability
To exploit this vulnerability, an attacker can follow simple steps outlined by accessing specific URLs or performing actions within the plugin’s interface. In this case, an administrator needs to save error logs as TXT files using the plugin’s interface. Once saved, anyone can access the saved_logs directory and download these logs without authentication.
POC:
- Admin should click on “Save as TXT file” in http://your_site/wordpress/wp-admin/admin.php?page=rrrlgvwr-monitor.php
- Then someone else can go to wordpress/wp-content/plugins/error-log-viewer/saved_logs and download log file from Index of Title
___
The potential risks associated with this vulnerability are significant. Attackers can leverage exposed PHP logs to gather sensitive information about the WordPress site, including file paths, database credentials, and user activity. This information can then be used to launch further attacks, such as SQL injection, unauthorized data access, or even full site compromise. Real-world scenarios may include malicious actors exploiting this vulnerability to gather intel for targeted attacks or data breaches.
Recommendations for Improved Security
To mitigate this vulnerability and enhance security:
- Patch and Update: Ensure the Error Log Viewer plugin is updated to the latest version to address any known vulnerabilities.
- Access Controls: Implement proper access controls to restrict access to sensitive directories and files.
- Security Hardening: Utilize security plugins or server configurations to prevent directory listing and protect sensitive data.
- Regular Audits: Conduct regular security audits to identify and address vulnerabilities in WordPress plugins and configurations.
- User Education: Educate administrators and users about the risks associated with directory listing vulnerabilities and the importance of secure practices when managing WordPress sites.
By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Error Log Viewer.
#WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
