CVE-2023-6821 – Error Log Viewer – Directory Listing to Sensitive Data Exposure – POC

During testing of the plugin, a vulnerability was found that allows you to read and download a file with PHP logs without authorization

Main info:

CVE	CVE-2023-6821
Plugin	Error Log Viewer < 1.1.3
Critical	Medium
All Time	53 174
Active installations	5 000+
Publicly Published	February 20, 2023
Last Updated	February 20, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A3: Sensitive Data Exposure
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6821 https://wpscan.com/vulnerability/6b1a998d-c97c-4305-b12a-69e29408ebd9/
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

During routine testing of the Error Log Viewer plugin, a vulnerability was discovered that enables unauthorized access to sensitive data. By exploiting this flaw, attackers can gain access to PHP log files without proper authorization.

Understanding of Directory Listing attack’s

Directory listing vulnerabilities occur when a web server fails to restrict access to directory contents. In the case of WordPress, plugins like Error Log Viewer may inadvertently expose sensitive files by allowing directory listings. This means that anyone with the URL can view the contents of directories, including log files, without needing proper permissions. Real-world examples include attackers accessing PHP error logs containing sensitive information such as file paths, database credentials, and potentially even user data.

Exploiting the Directory Listing Vulnerability

To exploit this vulnerability, an attacker can follow simple steps outlined by accessing specific URLs or performing actions within the plugin’s interface. In this case, an administrator needs to save error logs as TXT files using the plugin’s interface. Once saved, anyone can access the saved_logs directory and download these logs without authentication.

POC:

1. Admin should click on “Save as TXT file” in http://your_site/wordpress/wp-admin/admin.php?page=rrrlgvwr-monitor.php
2. Then someone else can go to wordpress/wp-content/plugins/error-log-viewer/saved_logs and download log file from Index of Title

___

The potential risks associated with this vulnerability are significant. Attackers can leverage exposed PHP logs to gather sensitive information about the WordPress site, including file paths, database credentials, and user activity. This information can then be used to launch further attacks, such as SQL injection, unauthorized data access, or even full site compromise. Real-world scenarios may include malicious actors exploiting this vulnerability to gather intel for targeted attacks or data breaches.

Recommendations for Improved Security

To mitigate this vulnerability and enhance security:

• Patch and Update: Ensure the Error Log Viewer plugin is updated to the latest version to address any known vulnerabilities.
• Access Controls: Implement proper access controls to restrict access to sensitive directories and files.
• Security Hardening: Utilize security plugins or server configurations to prevent directory listing and protect sensitive data.
• Regular Audits: Conduct regular security audits to identify and address vulnerabilities in WordPress plugins and configurations.
• User Education: Educate administrators and users about the risks associated with directory listing vulnerabilities and the importance of secure practices when managing WordPress sites.

By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Error Log Viewer.

#WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.