CVE-2023-3664 – FileOrganizer <= 1.0.2 - Admin+ Arbitrary File Access

During a security assessment of the FileOrganizer plugin, a medium vulnerability was uncovered in versions up to and including 1.0.2. This vulnerability allows an attacker to manipulate the plugin’s root folder, potentially compromising the security of the entire system. The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server.

Main info:

CVE	CVE-2023-3664
Plugin	FileOrganizer
Critical	Medium
Publicly Published	September 3, 2023
Last Updated	September 3, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A5: Broken Access Control
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3664 https://wpscan.com/vulnerability/d59e6eac-3ebf-40e0-800c-8cbef345423f
Plugin Security Certification by CleanTalk

Timeline

July 11, 2023	Plugin testing and vulnerability detection in the FileOrganizer access plugin have been completed
July 12, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 3, 2023	The author has not released an update
September 3, 2023	Registered CVE-2023-3664

Discovery of the Vulnerability

During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on

Understanding of Path Traversal attack’s

Path Traversal is a type of vulnerability that occurs when an application allows users to navigate outside the intended directory structure. In the case of FileOrganizer, the plugin lacks proper validation, enabling an attacker to traverse directories beyond the expected boundaries.

For instance, if the plugin expects files to be within the /var/www/html directory, an attacker can use path traversal techniques to access directories like /home, /etc, or even ../../../../../, which could lead to unauthorized access to sensitive files and system resources.

Exploiting the Path Traversal

Exploiting this vulnerability involves crafting malicious requests that contain directory traversal sequences, such as “../” or “%2e%2e%2f”, to trick the plugin into accessing files and directories outside its intended scope. This allows the attacker to view, modify, or exfiltrate sensitive files.

POC:

1. Go to settings page of this plugin

2. Change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc

3. Then navigate to the page of plugin

4. You will be able to list the files/folders outside of WordPress root directory

Potential Risks and Real-World Impact

The impact of this vulnerability is significant:

1. Unauthorized Data Access: Attackers can access and potentially steal sensitive files, including configuration files, user data, and other confidential information.
2. System Compromise: An attacker could use this vulnerability to compromise the entire system, execute arbitrary code, or manipulate critical files.
3. Data Loss: Files may be deleted, altered, or accessed without authorization, leading to data loss and system instability.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2023-3664 and enhance the security of the FileOrganizer plugin, the following measures are strongly advised:

1. Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for Path Traversal.
2. Input Validation: Implement thorough input validation and sanitization to prevent path traversal attacks and unauthorized file access.
3. Access Controls: Implement proper access controls to restrict file access based on user privileges.
4. Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent Path Traversal attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
   
   

By addressing the path traversal vulnerability in the FileOrganizer plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their data and systems.

#WordPressSecurity #PathTraversal #WebsiteSafety #StayProtected #MediumVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website