Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTom AdamsPACKETSTORM:128137
HistorySep 03, 2014 - 12:00 a.m.

WordPress Advanced Access Manager 2.8.2 File Write / Code Execution

2014-09-0300:00:00
Tom Adams
packetstormsecurity.com
26

0.147 Low

EPSS

Percentile

95.8%

JSON
`Details  
================  
Software: Advanced Access Manager  
Version: 2.8.2  
Homepage: http://wordpress.org/plugins/advanced-access-manager/  
Advisory report: https://security.dxw.com/advisories/advanced-access-manager-allows-admin-users-to-write-arbitrary-text-to-arbitrary-locations-which-could-lead-to-arbitrary-code-execution-etc/  
CVE: CVE-2014-6059  
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)  
  
Description  
================  
Advanced Access Manager allows admin users to write arbitrary files and execute arbitrary php  
  
Vulnerability  
================  
Advanced Access Manager allows writing arbitrary content to arbitrary files. Depending on the server configuration this could allow arbitrary code execution, overwriting core WordPress files and e.g. blanking wp-config.php. In other configurations this could lead to overwriting files in the uploads directory.  
  
Proof of concept  
================  
  
Visit http://localhost/wp-admin/admin.php?page=aam-configpress  
Press “Save” (this creates the “aam_configpress” option)  
Visit http://localhost/wp-admin/options.php  
Set “aam_configpress” to “test.php”  
Press “Save Changes”  
Visit http://localhost/wp-admin/admin.php?page=aam-configpress again  
Enter “<?php phpinfo();” into the textarea (without the quotes)  
Press “Save”  
Visit http://localhost/wp-content/aam/test.php  
  
Note that there is no restriction on using “../” in the “aam_configpress” option so depending on server configuration you could create files anywhere on the filesystem.  
This attack could be scripted to allow upload of binary files, including executable files.  
  
Mitigations  
================  
Upgrade to version 2.8.3 or later  
  
Disclosure policy  
================  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
  
Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.  
  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
  
Timeline  
================  
  
2014-08-20: Discovered  
2014-09-01: Reported to author via email  
2014-09-01: Requested CVE  
2014-09-01: Developer responded  
2014-09-02: Developer reported the issue fixed  
2014-09-03: Advisory published  
  
  
  
Discovered by dxw:  
================  
Tom Adams  
Please visit security.dxw.com for more information.  
  
  
  
  
`

Related

prion 1
cvelist 1
cve 1
patchstack 1
wpvulndb 1
nvd 1
zdt 1
prion
prion
Arbitrary file deletion
2020-01-13 13:15:00
cvelist
cvelist
CVE-2014-6059
2020-01-13 12:22:23
cve
cve
CVE-2014-6059
2020-01-13 13:15:12
patchstack
patchstack
WordPress Advanced Access Manager Plugin <= 2.8.2 - Admin User File Read/Write
2014-09-27 00:00:00
wpvulndb
wpvulndb
Advanced Access Manager 2.8.2 - Admin User File Read/Write
2014-09-27 12:33:33
nvd
nvd
CVE-2014-6059
2020-01-13 13:15:12
zdt
zdt
WordPress Advanced Access Manager 2.8.2 File Write / Code Execution
2014-09-04 00:00:00

0.147 Low

EPSS

Percentile

95.8%

JSON
Related for PACKETSTORM:128137
prion1cvelist1cve1patchstack1wpvulndb1nvd1zdt1