WordPress plugin WooCommerce arbitrary file deletion vulnerability resolution

2024-02-13 15:37:04

<p style="margin-top: 24px; margin-bottom: 24px; padding: 0px; box-sizing: border-box; line-height: 30px; color: rgb(45, 48, 55); word-break: break-all; font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);">   The permission processing mechanism of WordPress is mainly achieved by providing different functions to different roles. When the store administrator role is defined, it will assign the edit_users function to this role, so that they can directly manage the store's customer accounts. The entire permission allocation process occurs during the installation process of the plugin. Woocommerce/includes/class wc install. php:</p><div class="pre-wrapper" style="margin: 8px 0px; padding: 0px; box-sizing: border-box; position: relative; color: rgb(45, 48, 55); font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);"><pre data-copyid="1" data-highlighted="yes" class="hljs language-sql" style="margin-top: 8px; margin-bottom: 8px; padding: 15px; box-sizing: border-box; overflow-x: auto; background-color: rgb(240, 242, 245); font-size: 14px; border: 1px solid rgb(219, 225, 232); border-radius: 4px; text-wrap: wrap; overflow-wrap: break-word; word-break: break-all;">//Shop manager role.add_role(       'shop_manager',      // Internal name of the new role       'Shop manager',      // The label for displaying       array(               // Capabilities                ⋮              'read_private_posts'     => true,              'edit_users'             => true,              'edit_posts'             => true,                ⋮       ));</pre><button class="ai-code-helper" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 80px; height: 24px; line-height: 24px; font-size: 12px; color: rgb(255, 239, 239); background: rgb(255, 102, 102); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">AI代码助手</button><button class="copy-code" title="复制" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 8px; background: rgb(240, 242, 245); height: 24px; line-height: 24px; font-size: 12px; color: rgb(158, 167, 179); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">复制代码</button></div><p>The role permission information will be stored in the database using WordPress core settings, which means that the user role is now independent of the plugin. Even if the plugin is not enabled, it will not affect the relevant role permissions.</p><p><br/></p><p>When an authenticated user attempts to modify other user information, the current_user_can() function is called, ensuring that only privileged users can perform this operation. Example of calling the current_user_can() function:</p><div class="pre-wrapper" style="margin: 8px 0px; padding: 0px; box-sizing: border-box; position: relative; color: rgb(45, 48, 55); font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);"><pre data-copyid="2" data-highlighted="yes" class="hljs language-bash" style="margin-top: 8px; margin-bottom: 8px; padding: 15px; box-sizing: border-box; overflow-x: auto; background-color: rgb(240, 242, 245); font-size: 14px; border: 1px solid rgb(219, 225, 232); border-radius: 4px; text-wrap: wrap; overflow-wrap: break-word; word-break: break-all;">$target_user_id= $_GET['target_user_id'];if(current_user_can('edit_user',$target_user_id)) {    edit_user($target_user_id);}</pre><button class="ai-code-helper" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 80px; height: 24px; line-height: 24px; font-size: 12px; color: rgb(255, 239, 239); background: rgb(255, 102, 102); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">AI代码助手</button><button class="copy-code" title="复制" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 8px; background: rgb(240, 242, 245); height: 24px; line-height: 24px; font-size: 12px; color: rgb(158, 167, 179); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">复制代码</button></div><p>The verification logic for the call is as follows: Does this user have permission to modify a specific user using the ID $target_user_id?</p><p><br/></p><p>By default, the edit_users feature allows authorized users (such as store administrators) to edit other users, even administrator users, and then perform operations such as password updates. For security reasons, WooCommerce needs to specify whether the store administrator can edit users, so the plugin needs to add a meta permission function. The Meta function can be called by current_user_can(). By default, the value returned by the function is true, but the value returned by the meta permission function can determine whether the current user can perform such an operation. The following is the abstract function code for the WooCommerce meta permission filter:</p><div class="pre-wrapper" style="margin: 8px 0px; padding: 0px; box-sizing: border-box; position: relative; color: rgb(45, 48, 55); font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);"><pre data-copyid="3" data-highlighted="yes" class="hljs language-bash" style="margin-top: 8px; margin-bottom: 8px; padding: 15px; box-sizing: border-box; overflow-x: auto; background-color: rgb(240, 242, 245); font-size: 14px; border: 1px solid rgb(219, 225, 232); border-radius: 4px; text-wrap: wrap; overflow-wrap: break-word; word-break: break-all;">function disallow_editing_of_admins( $capability, $target_user_id ) {       // If the user is an admin return false anddisallow the action    if($capability == "edit_user"&& user_is_admin($target_user_id)) {        return false;    } else {        return true;    }}add_filter('map_meta_cap', 'disallow_editing_of_admins');</pre><button class="ai-code-helper" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 80px; height: 24px; line-height: 24px; font-size: 12px; color: rgb(255, 239, 239); background: rgb(255, 102, 102); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">AI代码助手</button><button class="copy-code" title="复制" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 8px; background: rgb(240, 242, 245); height: 24px; line-height: 24px; font-size: 12px; color: rgb(158, 167, 179); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">复制代码</button></div><p style="margin-top: 24px; margin-bottom: 24px; padding: 0px; box-sizing: border-box; line-height: 30px; color: rgb(45, 48, 55); word-break: break-all; font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);">For example, when current_user_can ('edit_user ', 1) is called, the filter will determine whether the user with ID 1 ($target_user_id) is an administrator and decide whether to allow the user to operate based on the result.</p><p>Store administrators disable plugins</p><p>By default, only administrators can disable plugins. However, this vulnerability allows store administrators to delete any writable files on the server, so we can disable WordPress from loading the plugin by deleting WooCommerce's main file - woocommerce.php.</p><p><br/></p><p>This file deletion vulnerability exists in the logging function of WooCommerce, where logs are stored as. log files in the wp content directory. When the store administrator wants to delete the log file, he needs to submit the file name with the GET parameter. The code snippet shown below is the vulnerable part:</p><h4 style="margin: 20px 0px 10px; padding: 0px; box-sizing: border-box; font-weight: normal; color: rgb(45, 48, 55); position: relative; font-size: 18px; line-height: 1.4; font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);">woocommerce/includes/admin/class-wc-admin-status.php</h4><div class="pre-wrapper" style="margin: 8px 0px; padding: 0px; box-sizing: border-box; position: relative; color: rgb(45, 48, 55); font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);"><pre data-copyid="4" data-highlighted="yes" class="hljs language-csharp" style="margin-top: 8px; margin-bottom: 8px; padding: 15px; box-sizing: border-box; overflow-x: auto; background-color: rgb(240, 242, 245); font-size: 14px; border: 1px solid rgb(219, 225, 232); border-radius: 4px; text-wrap: wrap; overflow-wrap: break-word; word-break: break-all;">class WC_Admin_Status{    public static function remove_log()    {    ⋮        $log_handler = newWC_Log_Handler_File();       $log_handler->remove(wp_unslash($_REQUEST['handle']));}</pre><button class="ai-code-helper" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 80px; height: 24px; line-height: 24px; font-size: 12px; color: rgb(255, 239, 239); background: rgb(255, 102, 102); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">AI代码助手</button><button class="copy-code" title="复制" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 8px; background: rgb(240, 242, 245); height: 24px; line-height: 24px; font-size: 12px; color: rgb(158, 167, 179); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">复制代码</button></div><h4 style="margin: 20px 0px 10px; padding: 0px; box-sizing: border-box; font-weight: normal; color: rgb(45, 48, 55); position: relative; font-size: 18px; line-height: 1.4; font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);">woocommerce/includes/log-handlers/class-wc-log-handler-file.php</h4><div class="pre-wrapper" style="margin: 8px 0px; padding: 0px; box-sizing: border-box; position: relative; color: rgb(45, 48, 55); font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);"><pre data-copyid="5" data-highlighted="yes" class="hljs language-php" style="margin-top: 8px; margin-bottom: 8px; padding: 15px; box-sizing: border-box; overflow-x: auto; background-color: rgb(240, 242, 245); font-size: 14px; border: 1px solid rgb(219, 225, 232); border-radius: 4px; text-wrap: wrap; overflow-wrap: break-word; word-break: break-all;">class WC_Log_Handler_File extends WC_Log_Handler{    public function remove($handle)    {    ⋮        $file = trailingslashit(WC_LOG_DIR) .$handle;    ⋮unlink($file);</pre><button class="ai-code-helper" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 80px; height: 24px; line-height: 24px; font-size: 12px; color: rgb(255, 239, 239); background: rgb(255, 102, 102); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">AI代码助手</button><button class="copy-code" title="复制" style="margin: 0px; padding: 0px 8px; position: absolute; top: 2px; right: 8px; background: rgb(240, 242, 245); height: 24px; line-height: 24px; font-size: 12px; color: rgb(158, 167, 179); border-radius: 4px; outline: none; border-width: initial; border-style: none; border-color: initial; cursor: pointer; opacity: 0;">复制代码</button></div><p style="margin-top: 24px; margin-bottom: 24px; padding: 0px; box-sizing: border-box; line-height: 30px; color: rgb(45, 48, 55); word-break: break-all; font-family: "Helvetica Neue", Helvetica, Arial, "Microsoft Yahei", "Hiragino Sans GB", "Heiti SC", "WenQuanYi Micro Hei", sans-serif; text-wrap: wrap; background-color: rgb(255, 255, 255);">The problem here is that the file name ($handle) will be added to the log directory (wp content/wc logs/) and then passed to the unlink() function. When setting "$handle../../plugins/wocommerce 3.45/wocommerce. php", the file wp content/wc logs/..// Plugins/woecommerce-3.45/woecommerce.php will be deleted and will result in WooCommerce being disabled.</p><p><br/></p>

Knowledge sharing community for developers。

Let more developers benefit from it。

Help developers share knowledge through the Internet。

Website navigation

Recommended platform: Hosting; Database; Internet security; CSS Syntax; JavaScript Tutorial

WordPress plugin WooCommerce arbitrary file deletion vulnerability resolution

Recommended reading

Website navigation

high perspicacity

What kind of framework is yii framework?

Difference: view and fetch methods in TP5 controller

The article takes you to understand the operating mechanism of Laravel schedule.

This time, I used swoole to delay the order and restore the inventory!