SEC Consult Vulnerability Lab Security Advisory < 20180314-0 > ======================================================================= title: Arbitrary Shortcode Execution & Local File Inclusion product: WOOF - WooCommerce Products Filter (PluginUs.Net) vulnerable version: 1.1.9 fixed version: 2.2.0 CVE number: (requested but not yet received) impact: Critical homepage: https://pluginus.net/ found: 2018-02-20 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "PluginUs.Net is a little team of talented professionals from Ukraine. Unlike most of the big companies on the net, we believe in individual approach to every our customer. Web development is our passion and we always try to go an extra mile over our clients' expectations. Our team specializes in development of WordPress plugins. It's always exciting to try new technologies and approaches to get the project done and impress clients by realization of their ideas!" Source: https://pluginus.net/about-us/ Business recommendation: ------------------------ SEC Consult recommends to ugprade to the latest version available as soon as possible. Further detailed security tests should be performed in order to identify potential other security issues. Vulnerability overview/description: ----------------------------------- 1. Arbitrary Shortcode Execution The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive. Additionally, it is noted that there are other implemented shortcodes that are being used in this plugin which can be abused through the same attack. Worst, some of them could lead to remote code execution. 2. Local File Inclusion The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable which then could lead to local file inclusion attack. Proof of concept: ----------------- 1. Arbitrary Shortcode Execution The parameter "shortcode" within the "admin-ajax.php" script is affected by the code execution vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 [...] action=woof_redraw_woof&shortcode=<<shortcode without []>> 2. Local File Inclusion The parameter "shortcode" within the "admin-ajax.php" script is affected by the local file inclusion vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 [...] action=woof_redraw_woof&shortcode=woof_search_options pagepath=/etc/passwd Vulnerable / tested versions: ----------------------------- PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and found to be vulnerable. Vendor contact timeline: ------------------------ 2018-02-20: Contacting vendor through realmag777@gmail.com 2018-02-20: Vendor agreed to proceed without encrypted channel 2018-02-21: Sent security advisory to vendor 2018-02-26: Vendor sent patch containing the fixes 2018-02-26: Informed vendor the patch doesn't fully mitigate the vulnerability 2018-03-12: Request update from vendor 2018-03-12: Vendor said they already published the patch 2018-03-14: Public release of security advisory Solution: --------- The vendor provides an updated version and users are urged to upgrade to version 2.2.0 immediately: https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/ Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Ahmad Ramadhan / @2018