The attached exploit demonstrates that the WordPress SpamBam plugin can
be bypassed due to relying on the client for security.
Vulnerable software:
SpamBam (http://wordpress.org/extend/plugins/spambam/) by Gareth Heyes
Vulnerability:
No matter how hard you ofuscate or encrypt your code, never, under no
circunstances, rely any security aspect on the client. Never!
How the plugin works:
It generates a pseudo-random code both on the client and the server to
generate a key.
On form submit, both key values are checked and they should match to
allow comment insertion.
How the exploit works:
It does nothing but acting as a client. It parses the html, extracts
the javascript, process it to calculate the key and fills the hidden
field with it.
Solution:
There's no fix for this. It's a design flaw.
be bypassed due to relying on the client for security.
Vulnerable software:
SpamBam (http://wordpress.org/extend/plugins/spambam/) by Gareth Heyes
Vulnerability:
No matter how hard you ofuscate or encrypt your code, never, under no
circunstances, rely any security aspect on the client. Never!
How the plugin works:
It generates a pseudo-random code both on the client and the server to
generate a key.
On form submit, both key values are checked and they should match to
allow comment insertion.
How the exploit works:
It does nothing but acting as a client. It parses the html, extracts
the javascript, process it to calculate the key and fills the hidden
field with it.
Solution:
There's no fix for this. It's a design flaw.
Attached Files:
-
spambam.pl (2.80 KB)