[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ACE via file inclusion in Redirection allows admins to execute any PHP file in the filesystem (
From: dxw Security <harry () dxw ! com>
Date: 2018-06-12 17:54:02
Message-ID: d59e274e00da989d2cc811b76e75081b () advisories ! dxw ! com
[Download RAW message or body]
Details
================
Software: Redirection
Version: 2.7.3
Homepage: https://wordpress.org/plugins/redirection/
Advisory report: https://advisories.dxw.com/advisories/ace-file-inclusion-redirection/
CVE: Awaiting assignment
CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C)
Description
================
ACE via file inclusion in Redirection allows admins to execute any PHP file in the filesystem
Vulnerability
================
If you are logged in as an administrator on any site by using the setup page for the \
redirection plugin you can run arbitrary code and completely compromise the system. This is \
done by writing the URL to redirect to in the format file://path/to/file/here. Unfortunately \
the plugin executes any PHP within that file. This means that any file with any extension on \
the filesystem that contains a small amount of user controlled data can be turned into a back \
door. The plugin also has the functionality to create files and place user controlled data in \
them. This results in attacker controlled code running and complete compromise of the system. \
When the code for handling a redirect looks at the URL to redirect to it does the following:
class Pass_Action extends Red_Action {
function process_before( $code, $target ) {
// Determine what we are passing to: local URL, remote URL, file
if ( substr( $target, 0, 7 ) === \'http://\' || substr( $target, 0, 8 ) === \
\'https://\' ) { echo @wp_remote_fopen( $target );
die();
}
else if ( substr( $target, 0, 7 ) === \'file://\' ) {
$parts = explode( \'?\', substr( $target, 7 ) );
if ( count( $parts ) > 1 ) {
// Put parameters into the environment $args = explode( \'&\', $parts[1] );
if ( count( $args ) > 0 ) {
foreach ( $args as $arg ) {
$tmp = explode( \'=\', $arg );
if ( count( $tmp ) === 1 )
$_GET[ $arg ] = \'\';
else
$_GET[ $tmp[0] ] = $tmp[1];
}
}
}
include( $parts[0] );
exit();
}
else {
$_SERVER[\'REQUEST_URI\'] = $target;
if ( strpos( $target, \'?\' ) ) {
$_SERVER[\'QUERY_STRING\'] = substr( $target, strpos( $target, \'?\' ) + 1 );
parse_str( $_SERVER[\'QUERY_STRING\'], $_GET );
}
}
return true;
}
}
The above code behaves as expected if the url to redirect to is a HTTP or HTTPS URL.
If the URL begins with file:// it passes the path to the include function.
Its also worth mentioning that if the URL is not http, https or file, then the code allows the \
$_GET parameter to be contaminated with unescaped values, which may result in SQL injections.
Proof of concept
================
echo ‘<?php phpinfo();’ > dog-meme.jpg
Visit /wp-admin/media-new.php
Upload dog-meme.jpg
Copy the URL of the file (i.e. http://localhost/wp-content/uploads/2017/10/dog-meme.jpg)
Visit /wp-admin/tools.php?page=redirection.php
Fill “Source URL” with “/test”
Fill “Target URL” with “file:///var/www/html/wp-content/uploads/2017/10/dog-meme.jpg” (this \
will probably require some modification if your WP installation is at a different path or \
dog-meme.jpg is saved in a different directory) Set “Group” to “Redirections”
Press “Add Redirect”
Press “Edit” on the newly added redirect
Press the cog icon
Set “When matched” to “Pass-through”
Press “Save”
Mitigations
================
Upgrade to version 2.8 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: \
https://advisories.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third \
party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your \
behalf.
This vulnerability will be published if we do not receive a response to this report with 14 \
days.
Timeline
================
2017-10-02: Discovered
2017-10-03: Reported via website contact form
2017-10-04: Response received. Plugin author reports this as intended behaviour, as
it is assumed that the administrator has full access to the system. However, also future \
version will include a fix.
2017-10-18: Author reported fixed in 2.8
2018-06-12: Advisory published
Discovered by dxw:
================
Glyn Wintle
Please visit advisories.dxw.com for more information.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic