Re: CVE request: WordPress plugin wp-cleanfix CSRF

[Henri Salo <henri () nerv fi>]

On Sat, May 18, 2013 at 12:54:23AM -0600, Kurt Seifried wrote:
> Sorry I'm not clear, this appears to be two vulns, a CSRF, and a
> remote code exec, the remote code exec can be triggered via the CSRF
> (so remote anon attacker can pull this off with some social
> engineering/etc.), but can also be done by users with access? Thanks.

File wpCleanFixAjax.php contains:

30         $command = strip_tags( $_POST['command'] );
31         eval ( $command );

and there is:

12 if ( is_admin() && _wpdk_is_ajax() ) {

So it only work when logged in administrator. This is not a security
vulnerability as is, because WordPress administrator can upload/edit PHP as she
or he likes.

There is a CSRF vulnerability, which can be used to execute arbitrary PHP.

POST /wordpress/wordpress-351/wp-admin/admin-ajax.php
action=wpCleanFixAjax&command=echo phpversion();

So in short: two vulnerabilities, but eval can't be used without CSRF as far as
I can tell.

---
Henri Salo

Attachment: signature.asc
Description: Digital signature