Mashshare 2.3.0, Information Disclosure
The Mashshare plugin exposes a few AJAX commands via its own custom hook, which can be found in the file ‘includes/admin/admin-actions.php’, and the function ‘mashsb_process_actions’. This function is called upon the ‘admin_init’ action being fired, which can be triggered by anyone when visiting the admin AJAX handler. Coupled with the fact that there is no checking of user privilege on this function means that anonymous users are able to trigger certain functions intended for Administrative use only.
Update to version 2.3.1
Proof of Concept
Visiting the following URL on the target will disclose the content that is usually displayed in the ‘System Info’ tab, under the Administration panel, which includes PHP version, Plugins installed, and various other System information.
- 2015-04-14: Discovered
- 2015-04-14: Vendor notified
- 2015-04-14: Vendor responded with intent to fix
- 2015-04-17: Version 2.3.1 released – issue resolved
- 2015-04-25: Advisory released