WordPress Online Store local file inclusion vulnerability

Advisory

Secunia Advisory SA50836

Analysis of vulnerability

The WP Online Store exposes a shortcode for displaying the store, which is declared in core.php:

If the “slug” request parameter isn’t defined, it will load the index page of the store. But if it is defined, it will load the relevant page which the user requests. It however does not sanitize that the “slug” is a WP Online Store file, which allows for a local file inclusion vulnerability if we create a post/page with the text “[WP_online_store]“, and submit a request with the slug set like this:

 

One comment

  1. Check out the “fix”, having a security slip up is one thing but once you know what you did wrong and you still mess it up that’s just sad. At least now someone can only include arbitrary php files although I’m not even sure if the extension check works. What if you get creative with null bytes or fancy protocol wrappers? Not too sure that part works either. Even if they used their “safe, filtered” file name you could still get around that by submitting “dirname/../../../target”.

Leave a Reply