Lỗi Bảo Mật Code Injection Trong Plugin Của WORDPRESS

Discussion in 'Penetration Testing' started by magicvn, Nov 21, 2014.

  1. magicvn

    magicvn New Member

    Joined:
    Aug 10, 2014
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    0
    Vulnerability title: Code Injection in Wordpress CM Download Manager plugin
    CVE: CVE-2014-8877
    Plugin: CM Download Manager plugin
    Vendor: CreativeMinds - https://www.cminds.com/
    Product: https://wordpress.org/plugins/cm-download-manager/
    Affected version: 2.0.0 and previous version
    Fixed version: 2.0.4
    Google dork: inurl:cmdownloads
    Reported by: Le Ngoc Phi - phi.n.le (at) itas (dot) vn [email concealed]
    Credits to ITAS Team - www.itas.vn


    :: DESCRITION ::


    Lỗi bảo mật code injection được tìm thấy trong plugin CM Download Manager của wordpress. Lỗi này cho phép một kẻ tấn công vô danh chiếm quyền điều khiển toàn bộ website và có thể chạy các lệnh của hệ điều hành.


    Vulnerable file:/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadController.php
    Vulnerable code: (Line: 130 -> 158)


    Code:
    public static function alterSearchQuery($search, $query)
    {
    if( ( (isset($query->query_vars['post_type']) && $query->query_vars['post_type'] == CMDM_GroupDownloadPage::POST_TYPE) && (!isset($query->query_vars['widget']) || $query->query_vars['widget'] !== true) ) && !$query->is_single && !$query->is_404 && !$query->is_author && isset($_GET['CMDsearch']) )
    {
    global $wpdb;
    $search_term = $_GET['CMDsearch'];
    if( !empty($search_term) )
    {
    $search = '';
    $query->is_search = true;
    // added slashes screw with quote grouping when done early, so done later
    $search_term = stripslashes($search_term);
    preg_match_all('/".*?("|$)|((?<=[\r\n\t ",+])|^)[^\r\n\t ",+]+/', $search_term, $matches);
    $terms = array_map('_search_terms_tidy', $matches[0]);
    
    
    $n = '%';
    $searchand = ' AND ';
    foreach((array) $terms as $term)
    {
    $term = esc_sql(like_escape($term));
    $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
    }
    add_filter('get_search_query', create_function('$q', 'return "' . $search_term . '";'), 99, 1);
    remove_filter('posts_request', 'relevanssi_prevent_default_request');
    remove_filter('the_posts', 'relevanssi_query');
    }
    }
    return $search;
    }
    
    :: SOLUTION ::
    Update to version 2.0.4


    :: DISCLOSURE ::
    2014-11-08 initial vendor contact
    2014-11-10 vendor response
    2014-11-10 vendor confirmed
    2014-11-11 vendor release patch
    2014-11-14 public disclosure


    :: REFERENCE ::
    https://downloadsmanager.cminds.com/release-notes/
    http://www.itas.vn/news/code-injection-in-cm-download-manager-plugin-66.html?language=en
     
    Last edited: Nov 21, 2014
  2. nontakjaba

    nontakjaba Member

    Joined:
    Dec 10, 2017
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Gender:
    Male
    Cam on ban da chia se
     
  3. nontakjaba

    nontakjaba Member

    Joined:
    Dec 10, 2017
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Gender:
    Male
    Cam on ban da chia se
     

Share This Page