Aruba HiSpeed Cache <= 3.0.4 - Missing Authorization

This research plan focuses on identifying and exploiting a missing authorization vulnerability in the Aruba HiSpeed Cache plugin (version <= 3.0.4). This vulnerability allows unauthenticated attackers to perform actions typically reserved for administrators, such as purging the system cache.

1. Vulnerability Summary

The Aruba HiSpeed Cache plugin fails to implement proper capability checks (e.g., current_user_can( 'manage_options' )) and/or nonce verification on sensitive administrative functions. Specifically, the vulnerability resides in handlers registered via wp_ajax_nopriv_ (unauthenticated AJAX) or administrative hooks like admin_init that execute even during unauthenticated requests to admin-ajax.php.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action Parameter: The vulnerability likely involves an AJAX action such as aruba_hispeed_cache_purge_cache or aruba_hispeed_cache_clear_all (inferred).
• HTTP Method: POST or GET (AJAX handlers usually support both, but POST is preferred for actions).
• Preconditions: The plugin must be active. Some cache purging actions might only be effective if the cache has been populated.
• Authentication: None required (unauthenticated).

3. Code Flow (Inferred)

1. Entry Point: An unauthenticated request is sent to admin-ajax.php?action=aruba_hispeed_cache_purge_cache.
2. Hook Registration: The plugin registers the action:

   // In Aruba HiSpeed Cache main class
   add_action( 'wp_ajax_nopriv_aruba_hispeed_cache_purge_cache', array( $this, 'purge_cache_callback' ) );
   add_action( 'wp_ajax_aruba_hispeed_cache_purge_cache', array( $this, 'purge_cache_callback' ) );
   

3. Vulnerable Handler: The purge_cache_callback function is executed:

   public function purge_cache_callback() {
       // VULNERABILITY: Missing current_user_can('manage_options') check
       // VULNERABILITY: Missing check_ajax_referer('...', '...') check
       $this->purge_all_cache(); 
       wp_send_json_success( 'Cache purged successfully' );
   }
   

4. Sink: The purge_all_cache() method interacts with the filesystem or the Aruba API to clear cached assets.

4. Nonce Acquisition Strategy

According to the CVSS vector (PR:N), this vulnerability is likely exploitable without a nonce, or the nonce check is missing entirely.

If a nonce is discovered during code analysis (e.g., via check_ajax_referer):

1. Identify Localization: Search for wp_localize_script in the codebase to find where the nonce is exposed.
2. Shortcode Search: Search for add_shortcode to see if a frontend page can trigger the script loading.
3. Extraction:
   • Create a page: wp post create --post_type=page --post_status=publish --post_content='[aruba_cache_button]' (example shortcode).
   • Navigate to the page using browser_navigate.
   • Extract the nonce: browser_eval("window.aruba_cache_params?.nonce").

Note: If the vulnerability is indeed "Missing Authorization," the primary flaw is usually the lack of current_user_can().

5. Exploitation Strategy

1. Identify Action Name: Search the plugin directory for AJAX registrations.

   grep -r "wp_ajax_nopriv" /var/www/html/wp-content/plugins/aruba-hispeed-cache/
   

2. Analyze Handler: Locate the function name associated with the nopriv action and check for current_user_can or nonce verification.
3. Craft Payload: Use the http_request tool to trigger the action.
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Method: POST
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body: action=aruba_hispeed_cache_purge_cache (replace with the actual action found in step 1).

6. Test Data Setup

1. Activate Plugin: Ensure the plugin is active via WP-CLI.

   wp plugin activate aruba-hispeed-cache
   

2. Generate Cache (Optional): Visit the homepage multiple times to ensure the cache has something to "purge."

   # Use the browser tool to visit the site
   

3. Identify Success Indicator: Look at the plugin's code to see what a successful response looks like (e.g., {"success":true,"data":"..."}).

7. Expected Results

• Response Code: 200 OK
• Response Body: A JSON object indicating success or a message like "Cache cleared."
• Side Effect: The plugin's cache directory (likely inside wp-content/cache/aruba-hispeed-cache/ or similar) should be emptied, or the plugin settings/logs should reflect a purge event.

8. Verification Steps

1. Check Response: Confirm the AJAX response indicates success.
2. Filesystem Check: Use the execution agent to check if the cache files were deleted.

   ls -R /var/www/html/wp-content/cache/
   

3. Log Check: If the plugin logs purges in the database, check the wp_options table or a custom table.

   wp db query "SELECT * FROM wp_options WHERE option_name LIKE '%aruba_cache_last_purge%'"
   

9. Alternative Approaches

If the wp_ajax_nopriv hook is not present, check for:

1. Global Initialization: Check if admin_init or init hooks handle $_GET['aruba_action'] without authorization checks.

   grep -r "admin_init" /var/www/html/wp-content/plugins/aruba-hispeed-cache/
   

2. REST API: Check for register_rest_route without a permission_callback.

   grep -r "register_rest_route" /var/www/html/wp-content/plugins/aruba-hispeed-cache/
   

3. Direct Parameter Detection: Sometimes plugins check for specific POST variables in the constructor of their main class. Search for $_POST or $_GET usage.