[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Advanced Access Manager allows admin users to write arbitrary files and execute arbitrary php (WordPress plugin)

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Advanced Access Manager allows admin users to write arbitrary files and execute arbitrary php (WordPress plugin)
From: dxw Security <security@xxxxxxx>
Date: Wed, 3 Sep 2014 11:16:16 +0000

Details
================
Software: Advanced Access Manager
Version: 2.8.2
Homepage: http://wordpress.org/plugins/advanced-access-manager/
Advisory report: 
https://security.dxw.com/advisories/advanced-access-manager-allows-admin-users-to-write-arbitrary-text-to-arbitrary-locations-which-could-lead-to-arbitrary-code-execution-etc/
CVE: CVE-2014-6059
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)

Description
================
Advanced Access Manager allows admin users to write arbitrary files and execute 
arbitrary php

Vulnerability
================
Advanced Access Manager allows writing arbitrary content to arbitrary files. 
Depending on the server configuration this could allow arbitrary code 
execution, overwriting core WordPress files and e.g. blanking wp-config.php. In 
other configurations this could lead to overwriting files in the uploads 
directory.

Proof of concept
================

Visit http://localhost/wp-admin/admin.php?page=aam-configpress
Press “Save” (this creates the “aam_configpress” option)
Visit http://localhost/wp-admin/options.php
Set “aam_configpress” to “test.php”
Press “Save Changes”
Visit http://localhost/wp-admin/admin.php?page=aam-configpress again
Enter “<?php phpinfo();” into the textarea (without the quotes)
Press “Save”
Visit http://localhost/wp-content/aam/test.php

Note that there is no restriction on using “../” in the “aam_configpress” 
option so depending on server configuration you could create files anywhere on 
the filesystem.
This attack could be scripted to allow upload of binary files, including 
executable files.

Mitigations
================
Upgrade to version 2.8.3 or later

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@xxxxxxx to acknowledge this report if you 
received it via a third party (for example, plugins@xxxxxxxxxxxxx) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline
================

2014-08-20: Discovered
2014-09-01: Reported to author via email
2014-09-01: Requested CVE
2014-09-01: Developer responded
2014-09-02: Developer reported the issue fixed
2014-09-03: Advisory published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
          


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] Mogwai Security Advisory MSA-2014-01: ManageEngine EventLog Analyzer Multiple Vulnerabilities
Next by Date: Re: [FD] ntopng 1.2.0 XSS injection using monitored network traffic
Previous by thread: [FD] Uninit memory disclosure via truncated images in Firefox
Next by thread: Re: [FD] ntopng 1.2.0 XSS injection using monitored network traffic
Index(es):
- Date
- Thread