'[FD] ACE via file inclusion in Redirection allows admins to execute any PHP file in the filesystem ('

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] ACE via file inclusion in Redirection allows admins to execute any PHP file in the filesystem (
From:       dxw Security <harry () dxw ! com>
Date:       2018-06-12 17:54:02
Message-ID: d59e274e00da989d2cc811b76e75081b () advisories ! dxw ! com
[Download RAW message or body]

Details
================
Software: Redirection
Version: 2.7.3
Homepage: https://wordpress.org/plugins/redirection/
Advisory report: https://advisories.dxw.com/advisories/ace-file-inclusion-redirection/
CVE: Awaiting assignment
CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C)

Description
================
ACE via file inclusion in Redirection allows admins to execute any PHP file in the filesystem

Vulnerability
================

If you are logged in as an administrator on any site by using the setup page for the \
redirection plugin you can run arbitrary code and completely compromise the system. This is \
done by writing the URL to redirect to in the format file://path/to/file/here. Unfortunately \
the plugin executes any PHP within that file. This means that any file with any extension on \
the filesystem that contains a small amount of user controlled data can be turned into a back \
door. The plugin also has the functionality to create files and place user controlled data in \
them. This results in attacker controlled code running and complete compromise of the system. \
When the code for handling a redirect looks at the URL to redirect to it does the following:

class Pass_Action extends Red_Action {
    function process_before( $code, $target ) {
        // Determine what we are passing to: local URL, remote URL, file
        if ( substr( $target, 0, 7 ) === \'http://\' || substr( $target, 0, 8 ) === \
\'https://\' ) {  echo @wp_remote_fopen( $target );
            die();
        }
        else if ( substr( $target, 0, 7 ) === \'file://\' ) {
            $parts = explode( \'?\', substr( $target, 7 ) );
            if ( count( $parts ) > 1 ) {
                // Put parameters into the environment $args = explode( \'&\', $parts[1] );
                if ( count( $args ) > 0 ) {
                    foreach ( $args as $arg ) {
                        $tmp = explode( \'=\', $arg );
                        if ( count( $tmp ) === 1 )
                            $_GET[ $arg ] = \'\';
                        else
                            $_GET[ $tmp[0] ] = $tmp[1];
                    }
                }
            }

            include( $parts[0] );
            exit();
        }
        else {
            $_SERVER[\'REQUEST_URI\'] = $target;
            if ( strpos( $target, \'?\' ) ) {
                $_SERVER[\'QUERY_STRING\'] = substr( $target, strpos( $target, \'?\' ) + 1 );
                parse_str( $_SERVER[\'QUERY_STRING\'], $_GET );
            }
        }

        return true;
    }
}

The above code behaves as expected if the url to redirect to is a HTTP or HTTPS URL.
If the URL begins with file:// it passes the path to the include function.
Its also worth mentioning that if the URL is not http, https or file, then the code allows the \
$_GET parameter to be contaminated with unescaped values, which may result in SQL injections.

Proof of concept
================

echo ‘<?php phpinfo();’ > dog-meme.jpg
Visit /wp-admin/media-new.php
Upload dog-meme.jpg
Copy the URL of the file (i.e. http://localhost/wp-content/uploads/2017/10/dog-meme.jpg)
Visit /wp-admin/tools.php?page=redirection.php
Fill “Source URL” with “/test”
Fill “Target URL” with “file:///var/www/html/wp-content/uploads/2017/10/dog-meme.jpg” (this \
will probably require some modification if your WP installation is at a different path or \
dog-meme.jpg is saved in a different directory) Set “Group” to “Redirections”
Press “Add Redirect”
Press “Edit” on the newly added redirect
Press the cog icon
Set “When matched” to “Pass-through”
Press “Save”

Mitigations
================
Upgrade to version 2.8 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: \
https://advisories.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third \
party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your \
behalf.

This vulnerability will be published if we do not receive a response to this report with 14 \
days.

Timeline
================

2017-10-02: Discovered
2017-10-03: Reported via website contact form
2017-10-04: Response received. Plugin author reports this as intended behaviour, as
it is assumed that the administrator has full access to the system. However, also future \
version will include a fix.

2017-10-18: Author reported fixed in 2.8
2018-06-12: Advisory published

Discovered by dxw:
================
Glyn Wintle
Please visit advisories.dxw.com for more information.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 