Details
Name : Buddypress Xprofile Custom Fields Type
Version : 2.6.3
Homepage : https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
Type
Arbitrary File Deletion Remote Code Execution - RCE
Description
Type user access: any user registered used in BuddyPress.
$_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
$_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.
Code
File: wp-conent/plugin/buddypress-xprofile-custom-fields-type/bp-xprofile-custom-fields-type.php
Lines: 452, 472, 496, 513, 568, 579
Examples:
unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenfile' ] );
unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenimg' ] );
Proof Concept
https://www.youtube.com/watch?v=uIO_DvWCM3s
1- Log in with BuddyPress User
2 - Access Edit Profile: http://target/members/admin/profile/edit/
3 - Register data with image:
4 - Change parameter to delete image in html and save profile:
Results
wp-config deleted and restart the all system.
Note
Solution
Timeline
Date Discovery : 12/08/2017
Date Vendor Contact : 01/04/2018
Date Publish :
Date Resolution :