Try to reproduce this issue with Docker with an auto install for wordpress
PoC of CVE-2019-9787 CSRF WordPress Version up to 5.1
To demonstrate the full potential of CVE-2019-9787 you probably want a more nasty piece of code than the comment present in nginx/iframe-post.html. In my code I don't use the flaw in the Wordpress wp_filter_post_kses().
Do not use this except for test purpose.
copy the repo :
git clone https://github.com/matinciel/Wordpress_CVE-2019-9787.git
go to the directory
cd Wordpress_CVE-2019-9787
launch the install, you need docker 18.02.0 at least (docker -v to check)
make autoinstall
Wordpress (with a default admin account log : wordpress / pass : wordpress). You can access it with http://localhost
- go to wordpress (do not connect as wordpress). http://localhost
- Leave a comment on the Hello world! post (by clicking the "1 Comment link). the comment should contain something like (only url is needed) :
Please visit my blog : http://localhost:6060
- login in the wordpress "backend" by going to http://localhost/wp-admin log : wordpress password : wordpress
- You should see a comment to validate in the comment section, just click on the link.
- Go back to http://localhost/wp-admin : click on the comment tab, you should have a new comment already validted without any action from your side...
- the malicious code in the iframe only works with the post ID=1 (Hello World!)
- if a "hacked" comment is already validated, it does not work again
- nonce protection seems not to be needed to make a comment validation (in other tutorial, it is needed because -maybe - you want to use a plugin / theme action ?)
- As already said : to demonstrate the full potential of CVE-2019-9787 you probably want a more nasty piece of code than the comment present in nginx/iframe-post.html. In my code I don't use the flaw in the Wordpress wp_filter_post_kses().
To stop service
docker-compose down
To delete all containers including its volumes use
docker rm -vf $(docker ps -a -q)
To delete all the images
docker rmi -f $(docker images -a -q)
Don't forget to delete the repository
cd .. sudo sudo rm -Rf Wordpress_CVE_2019-9787
For the wordpress auto install : https://github.com/kassambara/wordpress-docker-compose
For the CVE proof of concept (without a autoinstall wordpress) : https://github.com/rkatogit/cve-2019-9787_csrf_poc
If there is any (official) way to link those pages to this one please let me know, I use the fork on the second one but without knowing really what I was doing :-)