This is a project by Sijia Zhang(https://github.com/sijiahi) and Bowen Zhou(https://github.com/KonjakZhou)
- Configure and install Wordpress5.0 under http://localhost/wp-admin/;
- Log in Wordpress as admin, post at least one article;
- open mal.html(configured under another domain name, possibly directly open as file in browser),click submit request.
- If this works, you would be redirected to article page with "cilick me" comment, once you move your mouse over it, a prompt window indicating success attack would appear.
-Replece files in /wp-includes, add js scripts in /wp-includes/js.
-Move the mock post file in WP rigion, open the mock post page to test PINGBACK/TRACEBACK function.
-If this worked, you will be redirected to article page with "legal anchor" comment;
-Open mal.com from anthor domain name,test CSRF attack.
- comment-template: js script added extract, calculate and add doggyNonce script;
- functions: PHP script added extract attribute script;
- pluggable: PHP script added verify doggyNonce script.
- comment: PHP script changed the request process logic.
To defend Wordpress against CVE-2019-9787, a new field called doggyNonce is introduced. In cases where admin tries to adopt PINGBACK funxtion, and the _wp_unfiltered_html can not be provided, we asked admin to sign a signature on attributes of their uploaded Tags attributes with their cookie, this will enable us to defend CSRF attack and ensure and integrity of uploaded tag attributes.
Wordpress automatically accept comment without correct CSRF-token as a PINFBACK and TRACEBACK request, filter that comment with a white-list filter, extract href field and reconstruct "a tag". To defend this vulnerability, two key points are toke into account: 1. Server cannot distinguish illegal CSRF request from legal PINGBACK/TRACEBACK request. 2. CSRF Attacker inject their code in href field of "a Tag", Tag attribute changed after being filtered. doggyNonce is a hash value depends on *cookie(wp-setting-time-$uid) and *uploaded href attrbute: doggyNonce=Hash(*uploaded href attrbute,*cookie) it should be notified that doggyNonce plays the role of admin's signature on uploaded href attribute.
1. 'mal.html' is to mock CSRF attack, and thus, is expected to be placed in a domain other than Wordpress;
2. 'post.html' is to mock PINGBACK/TRACEBACK function, and thus, is expected to be placed in a same domain as WP;