WordPress Ad Widget 2.10.0 Local File Inclusion

#198
Topic created · 1 Posts · 0 Views
  • WordPress Ad Widget plugin versions 2.10.0 and below suffer from a local file inclusion vulnerability.
    MD5 | a02c1bb177145fdea032f28a60278396
    Download

    A A A A A A A A A A A A A  DefenseCode ThunderScan SAST Advisory  
    A A A A A A A A  WordPress Ad Widget Plugin Local File Inclusion  
    A A A A A A A A A A A A A A A A A A A A  Security Vulnerability  
    Advisory ID:A A A  DC-2017-01-001  
    Advisory Title: WordPress Ad Widget Plugin Local file Inclusion  
    A Security Vulnerability  
    Advisory URL:A A  http://www.defensecode.com/advisories.php  
    Software:A A A A A A  WordPress Ad Widget plugin  
    Language:A A A A A A  PHP  
    Version:A A A A A A A  2.10.0 and below  
    Vendor Status:A  Vendor contacted, update released  
    Release Date:A A  2017/10/10  
    Risk:A A A A A A A A A A  Medium  
    1. General Overview  
    ===================  
    During the security audit of Ad Widget plugin for WordPress CMS,  
    security vulnerability was discovered using DefenseCode ThunderScan  
    application source code security analysis platform.  
    More information about ThunderScan is available at URL:  
    http://www.defensecode.com  
    2. Software Overview  
    ====================  
    According to the plugin developers, Ad Widget enables it's users to  
    easily upload ad images and ad code to their sidebar, for those that  
    don't need or want a complicated ad management system.  
    According to wordpress.org, it has more than 30,000 active installs.  
    Homepage:  
    https://wordpress.org/plugins/ad-widget/  
    https://github.com/broadstreetads/wordpress-ad-widget  
    http://broadstreetads.com/about/contact/  
    A A A A A A A   
    3. Vulnerability Description  
    ============================  
    During the security analysis, ThunderScan discovered Local File  
    Inclusion vulnerability in WP Ad Widget plugin. By requesting a  
    specially crafted URL, the attacker can cause remote server to execute  
    a php file of his choosing. Although the user requesting the URL has  
    to be logged into the WordPress administrative console, the attacker  
    can cause the administrator to request such a URL by using various  
    social engineering/phishing approaches. Specified file will be  
    interpreted by php interpreter, and any valid php code will indeed be  
    executed. If the php installation on server has "allow_url_include=1"  
    configuration option set, this attack can be expanded to execute a php  
    file from any remote URL. If the php version is less than 5.3.4, the  
    ".php" that gets appended to the end of the file name attacker chose  
    can be omitted by adding a null character ("%00") to the requested  
    URL, and enable the attacker to execute any file, regardless of the  
    extension.  
    3.1. Local File Inclusion  
    A  File:A A A A A A  ad-widget\views\modal\index.php  
    A  Fucntion:A A  require "$page.php";  
    A  Variable:A A  $_GET['step'];  
    A  Sample URL:  
    http://vulnerablesite.com/wp-content/plugins/ad-widget/views/modal/?step=../../../../../../../etc/passwd%00  
    A  File: ad-widget\views\modal\index.php  
    A A A  ---------  
    A A A  38A  $page = @$_GET['step'];  
    A A A  ...  
    A A A  68A  require "$page.php";  
    A A A  ---------  
    A   
    4. Solution  
    ===========  
    Vendor thanked us and notified us the security issue was fixed after  
    we reported it. All users are strongly advised to update WordPress  
    Ad Widget plugin to the latest available version.  
    5. Credits  
    ==========  
    Discovered by Neven Biruski using DefenseCode ThunderScan source code  
    security analyzer.  
    A   
    6. Disclosure Timeline  
    ======================  
    2017/03/28A A A A A  Vendor contacted  
    2017/04/04A A A A A  Vendor responded  
    2017/04/04A A A A A  Update released  
    2017/10/10A A A A A  Advisory released to the public  
    7. About DefenseCode  
    ====================  
    DefenseCode L.L.C. delivers products and services designed to analyze  
    and test web, desktop and mobile applications for security  
    vulnerabilities.  
    DefenseCode ThunderScan is a SAST (Static Application Security  
    Testing, WhiteBox Testing) solution for performing extensive security  
    audits of application source code. ThunderScan SAST performs fast and  
    accurate analyses of large and complex source code projects delivering  
    precise results and low false positive rate.  
    DefenseCode WebScanner is a DAST (Dynamic Application Security  
    Testing, BlackBox Testing) solution for comprehensive security audits  
    of active web applications. WebScanner will test a website's security  
    by carrying out a large number of attacks using the most advanced  
    techniques, just as a real attacker would.  
    Subscribe for free software trial on our website  
    http://www.defensecode.com/ .  
    E-mail: defensecode[at]defensecode.com  
    Website: http://www.defensecode.com  
    Twitter: https://twitter.com/DefenseCode/  
    

    Source: packetstormsecurity.com

Log in to reply