CVSS Summary
| Score | 9 High |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | Complete |
Advisory:
Moving any file PHP user has access to in BP Group Documents 1.2.1
Vulnerability
Last revised:
An admin user (or anybody, since there is a CSRF vulnerability in this form) can move any file the PHP user has access to to a location inside the uploads directory. From the uploads directory, they are likely to be able to read the file.
Current state: Fixed
Proof of concept
As a logged in admin, visit a page containing this form and submit it (or add auto-submission, and cause a logged in admin to visit it):
<form method="POST" action="http://localhost/wp-admin/options-general.php?page=bp-group-documents-settings"> <input name="group" value="1"> <input name="file" value="../../../../wp-config.php"> <input type="submit"> </form>
This will cause the wp-config.php file to be moved to a location within wp-content/uploads. In my case it was wp-content/uploads/group-documents/1/1380203685-……..wp-config.php. In this example I broke a WordPress installation, leaving the site wide open to another person to come in and do the “famous five minute install”. There may also be handy config files laying around that you could read by moving them to the web root.
Advisory timeline
- 2013-09-26: Discovered
- 2013-09-30: Reported to plugins@wordpress.org
- 2013-10-04: Fix released (1.2.2)
Mitigation/further actions
Update to version 1.2.2.