BugTraq
SEC Consult SA-20180314-0 :: Arbitrary Shortcode Execution & Local File Inclusion in WooCommerce Products Filter (PluginUs.Net) Mar 14 2018 04:36PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20180314-0 >
=======================================================================
title: Arbitrary Shortcode Execution & Local File Inclusion
product: WOOF - WooCommerce Products Filter (PluginUs.Net)
vulnerable version: 1.1.9
fixed version: 2.2.0
CVE number: (requested but not yet received)
impact: Critical
homepage: https://pluginus.net/
found: 2018-02-20
by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"PluginUs.Net is a little team of talented professionals from Ukraine. Unlike
most of the big companies on the net, we believe in individual approach to
every our customer. Web development is our passion and we always try to go an
extra mile over our clients' expectations.

Our team specializes in development of WordPress plugins. It's always exciting
to try new technologies and approaches to get the project done and impress
clients by realization of their ideas!"

Source: https://pluginus.net/about-us/

Business recommendation:
------------------------
SEC Consult recommends to ugprade to the latest version available
as soon as possible. Further detailed security tests should be performed
in order to identify potential other security issues.

Vulnerability overview/description:
-----------------------------------
1. Arbitrary Shortcode Execution
The plugin implemented a page redraw AJAX function accessible to anyone
without any authentication.

WordPress shortcode markup in the "shortcode" parameters would be evaluated.
Normally unauthenticated users can't evaluate shortcodes as they are often
sensitive.

Additionally, it is noted that there are other implemented shortcodes that are
being used in this plugin which can be abused through the same attack. Worst,
some of them could lead to remote code execution.

2. Local File Inclusion
The vulnerability is due to the lack of args/input validation on render_html
before allowing it to be called by extract(), a PHP built-in function. Because
of this, the supplied args/input can be used to overwrite the $pagepath
variable which then could lead to local file inclusion attack.

Proof of concept:
-----------------
1. Arbitrary Shortcode Execution
The parameter "shortcode" within the "admin-ajax.php" script is affected by
the code execution vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
[...]

action=woof_redraw_woof&shortcode=<<shortcode without []>>

2. Local File Inclusion
The parameter "shortcode" within the "admin-ajax.php" script is affected by
the local file inclusion vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
[...]

action=woof_redraw_woof&shortcode=woof_search_options pagepath=/etc/passwd

Vulnerable / tested versions:
-----------------------------
PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and
found to be vulnerable.

Vendor contact timeline:
------------------------
2018-02-20: Contacting vendor through realmag777 (at) gmail (dot) com [email concealed]
2018-02-20: Vendor agreed to proceed without encrypted channel
2018-02-21: Sent security advisory to vendor
2018-02-26: Vendor sent patch containing the fixes
2018-02-26: Informed vendor the patch doesn't fully mitigate the vulnerability
2018-03-12: Request update from vendor
2018-03-12: Vendor said they already published the patch
2018-03-14: Public release of security advisory

Solution:
---------
The vendor provides an updated version and users are urged to upgrade to version
2.2.0 immediately:

https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-
2-2-0/

Workaround:
-----------
None

Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Ahmad Ramadhan / @2018

0? *?H?÷
 ?0?10
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 *?H?÷
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
 *?H?÷
?0?
??±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?­½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0
ÿ0U%0++0U 
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0'0%+0?http://ocsp.usertrust.com0
 *?H?÷
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?a0?I +?þ%³`??5T«´0
 *?H?÷
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
170301000000Z
200229235959Z0?W1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 14/11.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?çââ³×p¼¬ÉÓ#ëäoú=1X ÏsÍldhmþ·}jµ?ýySüx??¡%Vl´9«ÖHÍO½Ë Z|¢ò?q4äËg?7ò?ù?t¥Á±å1Pzò¦<*WÒj,?%x?? ä??F ¼ÜpF/*ÛЩk*TÅöb²??ÖӏñÏZ?QP´?wH;qf¢?r5·ÉyhXcü(#1~ ôYS"YÐ`U
?øô¤rP1u^ËØP.ëë?f}SÅäÖ[Hd¥ ¢áorà­ ÔB?{u·@J·²¨°×®6vL±
h:?i -V£?ËLBóa£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0U
G?gx.§~¢Òü¥El?%0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
 N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.c
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
 *?H?÷
 ?CÑË×úpÿtR
ðH§Àz7!]J ºæû¼]¨µX i?òÉ£­©cwSÀ/?­?ÓOÑ:þ Úøw?P[óü¹ÁÒ&©ã?ü-6?L5Y?ù6àòÀõ$Äð?z¼.È?ïNþ±ñ?øK×ÈV ® ¯ä@nÞ9ó¹Rk«*Ò¶èDÞÞ
(D'I5Ëé
{Ë­à¦]FϨújRO^pº=õ ?æ?18!??¤q µa=c@2ÞTC?ïþ´4?~-?ø¿À?Hÿ¹¨r.ÁØ ØXW?YÊÆ?á:??ZÔûµ4àÒ2CSq3»?`Û?I?Ö²Ë3gj?ù»º x1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
180314163656Z0/ *?H?÷
 1" T-öÙäÕk" lt0Wêº?hÿqg­ðÖR÷?!0l *?H?÷
 1_0]0  `?He*0  `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 *?H?÷
?Ì¦æØb<ÑÂ?'²Ë®Ñ6ϱæük?¶¾Kz?!?'ZbIÐtƳ¾n驸?;Çñ«ÕÅ·^ýq¥
µ²ÙÖý®æ_/>:+8ÖtÒ?»f©??éL¶ýBÈÀ¤V
±jÉáES¿J.+éyåB7Xì;§Õ
¶p½a`(sM?X*®Ò²féK)ýà3?}-?¿?%¢Ù2F"1,rh¶sNÖ?#åç¾?ɍяN°ä"ûuËeç
OÁƬ¡¹ã%7?§ ?É?ÝfÒL.=s!rSßx½º(9
QWҁ÷t%( ¯ÑH?}²ÿÓ~?à

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus