Buddypress Xprofile Custom Fields Type 2.6.3 Remote Code Execution

2018.04.10
Credit: Lenon Leite
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Plugin Buddypress Xprofile Custom Fields Type 2.6.3 RCE – Unlink # Date: 08/04/2018 # Exploit Author: Lenon Leite # Vendor Homepage: # https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/ # Software Link: # https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/ # Contact: http://twitter.com/lenonleite # Website: http://lenonleite.com.br/ # Category: webapps # Version: 2.6.3 # Tested on: Ubuntu 16.1 # #Article: #http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/ # #Video: #https://www.youtube.com/watch?v=By7kT7UbHVk # 1 - Description - Type user access: any user registered used in BuddyPress. - $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped. - $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped. 2. Proof of Concept Login as regular user. 1- Log in with BuddyPress User 2 - Access Edit Profile: http://target/members/admin/profile/edit/ 3 - Register data with image: <http://target/wp-content/uploads/2018/01/buddypress-profile.png>4 - Change parameter to delete image in html and save profile: <http://target/wp-content/uploads/2018/01/buddypress-profile2.png> <http://target/wp-content/uploads/2018/01/buddypress-profile3-1.png> #-- #*Atenciosamente* # #*Lenon Leite*

References:

https://www.youtube.com/watch?v=By7kT7UbHVk
http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top