IP Blacklist Cloud 3.42, Arbitrary File Disclosure

The IP Blacklist Cloud plugin exposes several AJAX functions to users. One of these is the ‘importCSVIPCloud’ action, which looks to be used to import CSV files into the systems blacklist. This action is susceptible to Directory Traversal, and does not check file extensions, as such it is possible to retrieve the contents of any file on the server to which the web server has access to. This action required that the user has the ‘manage_options’ permission. The reason I’ve raised this as an issue is because while it’s true if someone has compromised a user with this privilege then this attack is the least of your concerns, however if a site administrator has set Read Only on files that are editable via the WordPress administrative interface, then the scope of what the compromised user can perform on the file system is limited. This vulnerability allows a user with adequate access to the WordPress instance to read files on the system, potentially compromising further credentials such as FTP, MySQL, amongst other sensitive information.

Homepage

https://wordpress.org/plugins/ip-blacklist-cloud/

CVSS Score

4

CSSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

Administrative

Mitigation

Update to version 3.43

Proof of Concept

Visiting the following URL will result in disclosure of the contents of the file ‘wp-config’ as part of a (often malformed) JSON response, in the root of the WordPress installation. The user must be logged in with the ‘manage_options’ permission in order to perform this request.

http://localhost/?action=importCSVIPCloud&filename=../../../wp-config.php

Timeline

  • 2015-03-05: Discovered
  • 2015-03-05: Vendor notified
  • 2015-03-05: Vendor responded with intent to release a fix in 3.43
  • 2015-03-06: Vendor provided source for 3.43 update – issue resolved.
  • 2015-03-13: Advisory released