Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Wordpress Plainview Activity Monitor RCE #12555

Merged
merged 6 commits into from Nov 29, 2019

Conversation

@leo-lb
Copy link
Contributor

leo-lb commented Nov 10, 2019

Description:

Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.

From: https://www.exploit-db.com/exploits/45274

Description:

```
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.
```
@leo-lb

This comment has been minimized.

Copy link
Contributor Author

leo-lb commented Nov 10, 2019

@bcoles The code is partially inspired from exploits/unix/webapp/wp_total_cache_exec and I took your documentation as a template from #12532 -- I hope that's OK.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Nov 10, 2019

@bcoles The code is partially inspired from exploits/unix/webapp/wp_total_cache_exec and I took your documentation as a template from #12532 -- I hope that's OK.

No worries. The code is pretty standard - mostly boiler plate.

@cdelafuente-r7 cdelafuente-r7 self-assigned this Nov 22, 2019
Copy link
Contributor

cdelafuente-r7 left a comment

Thanks for this great contribution! I just have some comments before it lands.

leo-lb added 3 commits Nov 27, 2019
leo-lb added 2 commits Nov 28, 2019
@cdelafuente-r7

This comment has been minimized.

Copy link
Contributor

cdelafuente-r7 commented Nov 29, 2019

Thanks! Great job on this one!

cdelafuente-r7 added a commit that referenced this pull request Nov 29, 2019
@cdelafuente-r7 cdelafuente-r7 merged commit 1cf9a2e into rapid7:master Nov 29, 2019
0 of 3 checks passed
0 of 3 checks passed
Metasploit Automation - Sanity Test Execution Running automation sanity tests. Details available on completion.
Details
Metasploit Automation - Test Execution Running automation framework tests. Details available on completion.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
msjenkins-r7 added a commit that referenced this pull request Nov 29, 2019
@leo-lb

This comment has been minimized.

Copy link
Contributor Author

leo-lb commented Nov 29, 2019

@cdelafuente-r7 my commits werent squashed, it just trashed master's commit history :/

@cdelafuente-r7

This comment has been minimized.

Copy link
Contributor

cdelafuente-r7 commented Dec 2, 2019

No worry, I agree these last commits could have been squashed before it lands, but it's not a problem. Master's commit history is fine :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.