header-logo
Suggest Exploit
vendor:
Buddypress Xprofile Custom Fields Type
by:
Lenon Leite
8.8
CVSS
HIGH
Remote Code Execution
79
CWE
Product Name: Buddypress Xprofile Custom Fields Type
Affected Version From: 2.6.3
Affected Version To: 2.6.3
Patch Exists: NO
Related CWE: N/A
CPE: a:wordpress:buddypress_xprofile_custom_fields_type:2.6.3
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu 16.1
2018

Plugin Buddypress Xprofile Custom Fields Type 2.6.3 RCE – Unlink

A vulnerability exists in the Plugin Buddypress Xprofile Custom Fields Type 2.6.3, where the $_POST[ 'field_' . $field_id . '_hiddenfile' ] and $_POST[ 'field_' . $field_id . '_deleteimg' ] parameters are not escaped, allowing an attacker to execute arbitrary code. An attacker can exploit this vulnerability by logging in as a regular user, accessing the Edit Profile page, registering data with an image, and then changing the parameter to delete the image in the HTML and saving the profile.

Mitigation:

Ensure that all user-supplied input is properly sanitized and validated before being used in any application logic.
Source

Exploit-DB raw data:

# Exploit Title:  Plugin Buddypress Xprofile Custom Fields Type 2.6.3 RCE – Unlink
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Software Link:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.6.3
# Tested on: Ubuntu 16.1
#
#Article:
#http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/
#
#Video:
#https://www.youtube.com/watch?v=By7kT7UbHVk
#

1 - Description
  - Type user access: any user registered used in BuddyPress.
  - $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
  - $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.


2. Proof of Concept

Login as regular user.

1- Log in with BuddyPress User

2 - Access Edit Profile:

http://target/members/admin/profile/edit/

3 - Register data with image:

 <http://target/wp-content/uploads/2018/01/buddypress-profile.png>4
- Change parameter to delete image in html and save profile:
<http://target/wp-content/uploads/2018/01/buddypress-profile2.png>
 <http://target/wp-content/uploads/2018/01/buddypress-profile3-1.png>

#-- 
#*Atenciosamente*
#
#*Lenon Leite*

Navigation

Suggest Exploit

Services By CQR