22 Nov

Authenticated Local File Inclusion (LFI) Vulnerability in Vmax Project Manager

We recently noticed an authenticated arbitrary file upload vulnerability in the plugin Vmax Project Manager. While writing up the details of that we were tracing back the code that would be involved in that and at first we couldn’t figure out how part of it would work. Then we figured that out and noticed that there is also an authenticated local file inclusion (LFI) vulnerability in the plugin.

The plugin makes its main admin page available to anyone with the “read” capability, which is a capability that provides access to Admin dashboard and is a capability provided to Subscriber-level users and above (in the file /vpm.php):

37
$menu = add_menu_page('Vpm Project Manager', 'Project Manager', 'read', 'vpm-project', 'vpm_project' );

The function called includes the file /view/index.php:

84
85
86
87
function vpm_project() {
	$body	=	'project';
	include( VPMDIR . '/view/index.php');
}

In that file, if the GET input “module” exists, its value is used in an include statement:

5
6
7
8
9
10
if(isset($_GET['module'])) {
	$body = sanitize_text_field($_GET['module']);
}
 
// Loads the body page for each specific menu/tasks inside the plugin.
include $body.".php";

There is no restriction on directory traversal being used there, so files outside of the directory that files are intended to be included from can be accessed.

We used this vulnerability to as the basis for adding checking for some local file inclusion (LFI) vulnerabilities to our security checker for WordPress plugins.

We notified the developer of the issue on October 23. They responded the same day that it would be fixed within two weeks, but so far no new version of the plugin has been released. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress

http:///wp-admin/admin.php?page=vpm-project&module=..%2Ftest

Timeline

  • October 23, 2017 – Developer notified.
  • October 23, 2017 – Developer responds.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *