Login
22 Nov 2017

Authenticated Local File Inclusion (LFI) Vulnerability in Vmax Project Manager

We recently noticed an authenticated arbitrary file upload vulnerability in the plugin Vmax Project Manager. While writing up the details of that we were tracing back the code that would be involved in that and at first we couldn’t figure out how part of it would work. Then we figured that out and noticed that there is also an authenticated local file inclusion (LFI) vulnerability in the plugin.

The plugin makes its main admin page available to anyone with the “read” capability, which is a capability that provides access to Admin dashboard and is a capability provided to Subscriber-level users and above (in the file /vpm.php):

37

$menu = add_menu_page('Vpm Project Manager', 'Project Manager', 'read', 'vpm-project', 'vpm_project' );

The function called includes the file /view/index.php:

84
85
86
87

function vpm_project() {
	$body	=	'project';
	include( VPMDIR . '/view/index.php');
}

In that file, if the GET input “module” exists, its value is used in an include statement:

5
6
7
8
9
10

if(isset($_GET['module'])) {
	$body = sanitize_text_field($_GET['module']);
}
 
// Loads the body page for each specific menu/tasks inside the plugin.
include $body.".php";

There is no restriction on directory traversal being used there, so files outside of the directory that files are intended to be included from can be accessed.

We used this vulnerability to as the basis for adding checking for some local file inclusion (LFI) vulnerabilities to our security checker for WordPress plugins.

We notified the developer of the issue on October 23. They responded the same day that it would be fixed within two weeks, but so far no new version of the plugin has been released. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress

http:///wp-admin/admin.php?page=vpm-project&module=..%2Ftest

Timeline

  • October 23, 2017 – Developer notified.
  • October 23, 2017 – Developer responds.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.