CVE-2023-0156 - Unauthorized File Access and Directory Listing Vulnerability in All-In-One Security WordPress Plugin

A new security vulnerability, CVE-2023-0156, has been discovered in the All-In-One Security (AIOS) WordPress plugin. This vulnerability allows authorized users (admin+) to view the contents of arbitrary files and list directories anywhere on the server, to which the web server has access. The plugin only displays the last 50 lines of the file. This vulnerability affects AIOS WordPress plugin versions before 5.1.5.

Background

The All-In-One Security WordPress plugin is a popular security solution for WordPress websites, helping to protect your site against various security risks. However, the recently discovered CVE-2023-0156 vulnerability presents a risk for site administrators and exposes sensitive information that could be exploited by attackers.

Exploit Details

The main issue resides in the AIOS plugin's settings pages, where it lacks proper limitations on displaying log files. As a result, an admin user has the ability to view the contents of arbitrary files and directory listings on the server. While the plugin only displays the last 50 lines of the file, sensitive information can still be exposed, such as configuration files and application source code.

Here's a code snippet of the vulnerable section in the AIOS plugin

function aiosp_common::aiosp_log_viewer() {
    $filename = esc_attr( $_GET['filename'] );
    $lines = 50; // Show last 50 lines of the log file
    $file = file( $filename );
	
    echo '<pre>';
    foreach ( array_slice( $file, -1 * $lines ) as $line ) {
        echo esc_html( $line );
    }
    echo '</pre>';
}

You can see that the $filename variable is retrieved directly from the user request without any validation or restrictions in place. This allows an attacker with admin access to view the contents of any file the web server can access.

Log in as an admin user on the WordPress site.

2. Navigate to the AIOS log viewer settings page, located at https://yourwordpresssite.com/wp-admin/admin.php?page=aiosp_log_viewer.
3. Modify the filename parameter in the URL with the path to the desired file on the server, e.g., https://yourwordpresssite.com/wp-admin/admin.php?page=aiosp_log_viewer&filename=/etc/passwd.

Affected Versions and Fix

This vulnerability affects All-In-One Security WordPress plugin versions before 5.1.5. The developers of the plugin have released a security patch in version 5.1.5 to address this issue.

References

- AIOS WordPress Plugin Official Site
- CVE-2023-0156 Vulnerability Details
- AIOS Version 5.1.5 Release Notes

By staying informed and taking necessary precautions, you can help to keep your WordPress site safe and secure from vulnerabilities such as CVE-2023-0156.

Timeline

Published on: 04/10/2023 14:15:00 UTC
Last modified on: 04/14/2023 03:54:00 UTC