g0blin Research

Follow @g0blinResearch

Mashshare 2.3.0, Information Disclosure

The Mashshare plugin exposes a few AJAX commands via its own custom hook, which can be found in the file ‘includes/admin/admin-actions.php’, and the function ‘mashsb_process_actions’. This function is called upon the ‘admin_init’ action being fired, which can be triggered by anyone when visiting the admin AJAX handler. Coupled with the fact that there is no checking of user privilege on this function means that anonymous users are able to trigger certain functions intended for Administrative use only.

Homepage

https://wordpress.org/plugins/mashsharer/

CVSS Score

5

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 2.3.1

Proof of Concept

Visiting the following URL on the target will disclose the content that is usually displayed in the ‘System Info’ tab, under the Administration panel, which includes PHP version, Plugins installed, and various other System information. 

http://localhost/wp-admin/admin-ajax.php?action=-&mashsb-action=tools_tab_system_info

Timeline

  • 2015-04-14: Discovered
  • 2015-04-14: Vendor notified
  • 2015-04-14: Vendor responded with intent to fix
  • 2015-04-17: Version 2.3.1 released – issue resolved
  • 2015-04-25: Advisory released