WOOF WooCommerce Products Filter 1.1.9 LFI / Code Execution

#197
Topic created · 1 Posts · 1 Views
  • WOOF WooCommerce Products Filter from PluginUs.Net version 1.1.9 suffers from shortcode execution and local file inclusion vulnerabilities.
    MD5 | 20403a264b5473118a85d5699ea5b70f
    Download

    SEC Consult Vulnerability Lab Security Advisory < 20180314-0 >  
    =======================================================================  
    title: Arbitrary Shortcode Execution & Local File Inclusion  
    product: WOOF - WooCommerce Products Filter (PluginUs.Net)  
    vulnerable version: 1.1.9  
    fixed version: 2.2.0  
    CVE number: (requested but not yet received)  
    impact: Critical  
    homepage: https://pluginus.net/  
    found: 2018-02-20  
    by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)  
    SEC Consult Vulnerability Lab  
    An integrated part of SEC Consult  
    Europe | Asia | North America  
    https://www.sec-consult.com  
    =======================================================================  
    Vendor description:  
    -------------------  
    "PluginUs.Net is a little team of talented professionals from Ukraine. Unlike  
    most of the big companies on the net, we believe in individual approach to  
    every our customer. Web development is our passion and we always try to go an  
    extra mile over our clients' expectations.  
    Our team specializes in development of WordPress plugins. It's always exciting  
    to try new technologies and approaches to get the project done and impress  
    clients by realization of their ideas!"  
    Source: https://pluginus.net/about-us/  
    Business recommendation:  
    ------------------------  
    SEC Consult recommends to ugprade to the latest version available  
    as soon as possible. Further detailed security tests should be performed  
    in order to identify potential other security issues.  
    Vulnerability overview/description:  
    -----------------------------------  
    1. Arbitrary Shortcode Execution  
    The plugin implemented a page redraw AJAX function accessible to anyone  
    without any authentication.  
    WordPress shortcode markup in the "shortcode" parameters would be evaluated.  
    Normally unauthenticated users can't evaluate shortcodes as they are often  
    sensitive.  
    Additionally, it is noted that there are other implemented shortcodes that are  
    being used in this plugin which can be abused through the same attack. Worst,  
    some of them could lead to remote code execution.  
    2. Local File Inclusion  
    The vulnerability is due to the lack of args/input validation on render_html  
    before allowing it to be called by extract(), a PHP built-in function. Because  
    of this, the supplied args/input can be used to overwrite the $pagepath  
    variable which then could lead to local file inclusion attack.  
    Proof of concept:  
    -----------------  
    1. Arbitrary Shortcode Execution  
    The parameter "shortcode" within the "admin-ajax.php" script is affected by  
    the code execution vulnerability:  
    POST /wp-admin/admin-ajax.php HTTP/1.1  
    [...]  
    action=woof_redraw_woof&shortcode=<<shortcode without []>>  
    2. Local File Inclusion  
    The parameter "shortcode" within the "admin-ajax.php" script is affected by  
    the local file inclusion vulnerability:  
    POST /wp-admin/admin-ajax.php HTTP/1.1  
    [...]  
    action=woof_redraw_woof&shortcode=woof_search_options pagepath=/etc/passwd  
    Vulnerable / tested versions:  
    -----------------------------  
    PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and  
    found to be vulnerable.  
    Vendor contact timeline:  
    ------------------------  
    2018-02-20: Contacting vendor through [[email protected]](/cdn-cgi/l/email-protection)  
    2018-02-20: Vendor agreed to proceed without encrypted channel  
    2018-02-21: Sent security advisory to vendor  
    2018-02-26: Vendor sent patch containing the fixes  
    2018-02-26: Informed vendor the patch doesn't fully mitigate the vulnerability  
    2018-03-12: Request update from vendor  
    2018-03-12: Vendor said they already published the patch  
    2018-03-14: Public release of security advisory  
    Solution:  
    ---------  
    The vendor provides an updated version and users are urged to upgrade to version  
    2.2.0 immediately:  
    https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/  
    Workaround:  
    -----------  
    None  
    Advisory URL:  
    -------------  
    https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    SEC Consult Vulnerability Lab  
    SEC Consult  
    Europe | Asia | North America  
    About SEC Consult Vulnerability Lab  
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
    ensures the continued knowledge gain of SEC Consult in the field of network  
    and application security to stay ahead of the attacker. The SEC Consult  
    Vulnerability Lab supports high-quality penetration testing and the evaluation  
    of new offensive and defensive technologies for our customers. Hence our  
    customers obtain the most current information about vulnerabilities and valid  
    recommendation about the risk profile of new technologies.  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    Interested to work with the experts of SEC Consult?  
    Send us your application https://www.sec-consult.com/en/career/index.html  
    Interested in improving your cyber security with the experts of SEC Consult?  
    Contact our local offices https://www.sec-consult.com/en/contact/index.html  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    Mail: research at sec-consult dot com  
    Web: https://www.sec-consult.com  
    Blog: http://blog.sec-consult.com  
    Twitter: https://twitter.com/sec_consult  
    EOF Ahmad Ramadhan / @2018  
    

    Source: packetstormsecurity.com

Log in to reply