mfunc issue

  • kisscsaby

    (@kisscsaby)


    11 years, 1 month ago

    Dear wp-super-cache/w3-total-cache developers,

    As you may be aware worpress allows some html in comments including html comments. With wp-super-cache or w3-total-cache installed php code, by design, is allowed in comments too. Not to mention a relatively harmless XSS bug (or feature, depends on who you ask) is elevated into server side code execution.

    The following examples work with wp-super-cache and w3-total-cache, all you need to do is post a comment with:
    – to display time and date:
    <!--mfunc eval(base64_decode( redacted )); --><!--/mfunc-->

    – php shell/backdoor upload:
    <!--mfunc eval(base64_decode( also redacted, see a trend here ;) )); --><!--/mfunc-->
    the shell will eval($_POST[“e”]) and can be accessed at: http://path/to/blog/wp-content/redacted

    I suggest you remove the mfunc/mclude features entirely, it’s way too hazardous to parse and execute the output.

    Regards,
    Csaba

    PS.
    Below you’ll find the same proof of concept examples escaped with base64:

    [ Just plain deleted ]

    http://wordpress.org/extend/plugins/wp-super-cache/

Viewing 4 replies - 16 through 19 (of 19 total)
1 2
Viewing 4 replies - 16 through 19 (of 19 total)
1 2
  • The topic ‘mfunc issue’ is closed to new replies.