LFI | ceriksen.com

Advisory

Analysis of vulnerability

The WP Online Store exposes a shortcode for displaying the store, which is declared in core.php:

/* front end begins here */
function WP_online_store()
{
    //global $currencies,$currency,$messageStack,$tree,$categories_string, $cPath_array;
    //global $request_type, $session_started, $SID;
    if (!isset($_REQUEST['slug'])) {
        include(WP_PLUGIN_DIR.'/'.basename(dirname(__FILE__)).'/index.php');
    }
    if ($_REQUEST['slug']) {
        include(WP_PLUGIN_DIR.'/'.basename(dirname(__FILE__)).'/'.$_REQUEST['slug']);
    }

}

192

193

194

195

196

197

198

199

200

201

202

203

204

/* front end begins here */

function WP_online_store()

{

//global $currencies,$currency,$messageStack,$tree,$categories_string, $cPath_array;

//global $request_type, $session_started, $SID;

if (!isset($_REQUEST['slug'])) {

include(WP_PLUGIN_DIR.'/'.basename(dirname(__FILE__)).'/index.php');

}

if ($_REQUEST['slug']) {

include(WP_PLUGIN_DIR.'/'.basename(dirname(__FILE__)).'/'.$_REQUEST['slug']);

}

add_shortcode('WP_online_store', 'WP_online_store');

222	add_shortcode('WP_online_store', 'WP_online_store');

If the “slug” request parameter isn’t defined, it will load the index page of the store. But if it is defined, it will load the relevant page which the user requests. It however does not sanitize that the “slug” is a WP Online Store file, which allows for a local file inclusion vulnerability if we create a post/page with the text “[WP_online_store]“, and submit a request with the slug set like this:

http://192.168.80.130/wordpress/?slug=../../../wp-config.php

1	http://192.168.80.130/wordpress/?slug=../../../wp-config.php

ceriksen.com

Archives

WordPress Online Store local file inclusion vulnerability