Plugin Buddypress Xprofile Custom Fields Type 2.6.3 Arbitrary File Deletion – Unlink

Details

  • Name : Buddypress Xprofile Custom Fields Type
  • Version : 2.6.3
  • Homepage : https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/

Type

  • Arbitrary File Deletion
  • Remote Code Execution - RCE

Description

  • Type user access: any user registered used in BuddyPress.
  • $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
  • $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.

Code

File: wp-conent/plugin/buddypress-xprofile-custom-fields-type/bp-xprofile-custom-fields-type.php Lines: 452, 472, 496, 513, 568, 579 Examples:
unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenfile' ] );
unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenimg' ] );

Proof Concept

1- Log in with BuddyPress User 2 - Access Edit Profile: http://target/members/admin/profile/edit/ 3 - Register data with image: 4 - Change parameter to delete image in html and save profile:  

Results

wp-config deleted and restart the all system.

Note


Solution


Timeline

  • Date Discovery : 12/08/2017
  • Date Vendor Contact : 01/04/2018
  • Date Publish :
  • Date Resolution :