SEO by SQUIRRLY™ [Path Traversal]
Description
Plugin SEO by SQUIRRLY™ suffers from a Path Traversal vulnerability.
Plugin allows anyone to request and download a file that is set as
favicon. When requesting the file the optional parameter
$_GET['sq_size'] can be used to traverse the path of the requested
file, thus allowing an attacker to download arbitrary files from the
server.
In order to exploit this vulnerability two conditions must be met:
- The value of option
sq_useevaluates to true - A favicon is set
By default none of those conditions are met. But after setting up the
plugin in order to be of any use the user must activate it and this
means that the value of (1) will change to 1, so the only non trivial
condition is (2).
PoC
In this PoC we download the wp-config.php file, given that the
favicon path rel to ABSPATH is wp-content/uploads/squirrly/favicon.png
curl 'http://sbwp1.dev/?sq_get=touchicon&sq_size=%2500/../../../../wp-config.php'
- 27 May 2016
- Pan Vag
- squirrly.co
- SEO by SQUIRRLY™
- 6.1.0
- WordPress 4.5.2, Apache 2.4.16, PHP 5.6.20
- DWF-2016-87050