Infusionsoft Gravity Forms Add-on 1.5.3 - 1.5.10, Arbitrary File Upload

The Infusionsoft Gravity Forms Add-on plugin for WordPress has a script included in the default plugin installation which is intended to allow the user to re-generate certain templates, however there is no authentication required to access this script, and no validation on user input, which allows the user to write arbitrary content to files either owner by the web servers user, or new files under a directory owned by (or accessible by) the web servers user. This can lead to arbitrary code execution, via custom PHP files.

Homepage

https://wordpress.org/plugins/infusionsoft/

CVSS Score

6.4

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 1.5.11

Proof of Concept

Upon installation of the plugin, browse to http://localhost/wp-content/plugins/infusionsoft/Infusionsoft/utilities/code_generator.php. Once at this URL, you are able to input any PHP source you wish (such as a PHP web shell). When you click submit, the script will output to a number of templates the PHP source you specified in the first step. You are then able to browse to any of these scripts by name, and the PHP source will be executed.

Timeline

  • 2014-09-17: Discovered
  • 2014-09-17: Reported to vendor:
  • 2014-09-17: CVE requested
  • 2014-09-18: Response from vendor, stating a fix will be released tomorrow
  • 2014-09-18: 1.5.11 released – issue resolved
  • 2014-09-19: CVE assigned
  • 2014-09-25: Advisory released