Seeweb ha scoperto una zero-day all’interno del plugin di WordPress “Ultimate Product Catalogue “. Dopo averne discusso con gli sviluppatori, che hanno fornito una patch, abbiamo rilasciato una full disclosure e deciso di condividere con voi questa notizia.
Ultimate Product Catalog plugin is designed to help WordPress sites administrators display products quickly and easily in an attractive and customizable layout, making your catalogue easy to browse, sort and update with categories, sub-categories, and tags.
Class: Unauthenticated Arbitrary File Upload
Vulnerable: WordPress Ultimate Product Catalogue Plugin 3.1.1 (and previous versions)
Credit: Luca Ercoli http://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability
The vulnerability occurs due to the use of user-supplied input without proper validation.
By sending a specially-crafted HTTP POST request, a remote unauthenticated attacker can exploit this issue to upload arbitrary file and execute it in the context of the webserver process.
Vulnerability exist in the Add_Products_From_Spreadsheet() function, where “move_uploaded_file” (PHP Filesystem Function) can be called by unauthenticated users.
In order to exploit this flaw, we can use the WordPress AJAX API, hence the hook to function “Update_UPCP_Content” that exist in the file UPCP_Main.php: [sociallocker id=”7320″]
By sending a specially-crafted request to Update_UPCP_Content(), we can execute Add_Products_From_Spreadsheet() and upload an arbitraty file into “wp-content/plugins/ultimate-product-catalogue/product-sheets” folder.
Proof of Concept:
curl -v -k -X POST -F “Products_Spreadsheet=@./backdoor.php” “www.site.tld/wp-admin/admin-ajax.php?action=widgets_init&Action=UPCP_AddProductSpreadsheet” [/sociallocker]
According to the vendor, a software version that fixes the vulnerability found has been released and is available for download.
* Apr 21, 2015, 19:44 CEST: Vendor is notified of the vulnerability
* Apr 21, 2015, 22:40 CEST: Vendor confirms report and indicates that the flaw has been patched
* Apr 22, 2015: Public disclosure