1. WPLMS 플러그인 (WordPress Learning Management System)

- WordPress를 사용해 LMS를 구축할 수 있도록 돕는 플러그인

※ Learning Management System : 학습 관리 시스템, 온라인으로 학생들의 학습을 관리할 수 있게 해주는 소프트웨어

2. VibeBP (Vibe BuddyPress Plugin)

- WPLMS와 함께 사용되는 플러그인으로, 강력한 소셜 네트워킹 및 회원 관리 기능을 제공

3. 취약점

3.1 CVE-2024-56042 [2][3]

[사진 1] CVE-2024-56042

- WPLMS에서 발생하는 SQL Injection 취약점 (CVSS: 9.3)

영향받는 버전 : WPLMS < 1.9.9.5.3

 

- includes/vibe-course-module/includes/api/v3/class-api-commissions.php의 get_instructor_commissions_chart()에 취약점 존재
> json/wplms/v1/commissions/instructor/<ID>/chart의 REST 엔드포인트를 처리
> REST 엔드포인트 자체에서는 commissions_request_validate()를 통해 사용자 권한을 확인

 

> Line4 및 Line7 : 클라이언트 요청에서 course_id와 currency 파라미터를 추출 및 $course_id와 $currency에 할당 
> Line16 ~ Line24 : $course_id와 $currency를 .=(문자열 연결 연산자) 연사자를 사용해 $and_where에 할당
> Line29 ~ Line40 : get_results()를 사용해 SQL 쿼리를 실행한 후 결과를 $results에 할당

 

- $course_id와 $currency에 대한 적절한 검증 없이 $and_where에 포함되어 SQL 쿼리에 사용되므로, 유효한 ID를 가진 공격자에 의해 SQL Injection 취약점이 발생

includes/vibe-course-module/includes/api/v3/class-api-commissions.php, function get_instructor_commissions_chart()
1     function get_instructor_commissions_chart($request){
2     
3     $user_id = $request->get_param('id');
4     $course_id =$request->get_param('course_id');
5     $date_start = $request->get_param('date_start');
6     $date_end = $request->get_param('date_end');
7     $currency = $request->get_param('currency');
8     ------------ CUT HERE ------------
9     
10     $and_where = '';
11     $start_date = '';
12     $end_date = '';
13     $group_by = ' GROUP BY select_parameter';
14     $select = 'MONTH(activity.date_recorded) as select_parameter';
15     
16     if(!empty($course_id)){
17     $and_where .= " AND activity.item_id = $course_id ";
18     }else{
19     
20     ------------ CUT HERE ------------
21     }
22     if(!empty($currency)) {
23     $and_where .= " AND meta2.meta_value = '".$currency."' ";
24     }
25     
26     ------------ CUT HERE ------------
27     global $wpdb;
28     global $bp;
29     $results = $wpdb->get_results( "
30     SELECT ".$select.", sum(meta.meta_value) as commission
31     FROM {$bp->activity->table_name} AS activity
32     LEFT JOIN {$bp->activity->table_name_meta} as meta ON activity.id = meta.activity_id
33     LEFT JOIN {$bp->activity->table_name_meta} as meta2 ON activity.id = meta2.activity_id
34     WHERE     activity.component     = 'course'
35     AND     activity.type     = 'course_commission'
36     AND     activity.user_id     = {$user_id}
37     AND     meta.meta_key   LIKE '_commission%'
38     AND     meta2.meta_key   LIKE '_currency%'
39     .$and_where.
40     .$group_by,ARRAY_A);
41     ------------ CUT HERE ------------
42     }

 

3.2 CVE-2024-56047 [4][5]

[사진 2] CVE-2024-56047

- WPLMS에서 발생하는 SQL Injection 취약점

영향받는 버전 : WPLMS < 1.9.9.5.3

 

- include/vibe-course-module/includes/api/v3/class-api-user-controller.php의 search_users_in_chat()에 취약점 존재
> json/wplms/v2/user/alluser의 REST 엔드포인트를 처리하며, 인증된 모든 사용자가 액세스할 수 있음
> Line3 : 클라이언트로부터 전달받은 user_initials를 추출해 $user_initials에 할당
> Line4 : $user_initials를 포함해 SQL 쿼리 실행 및 결과를 $results에 할당

 

- user_initials에 대한 적절한 검증 없이 $user_initials에 할당되어 SQL 쿼리에 사용되므로, SQL Injection 취약점이 발생

includes/vibe-course-module/includes/api/v3/class-api-user-controller.php, function search_users_in_chat()
1     function search_users_in_chat($request){
2     global $wpdb;
3     $user_initials = $request->get_param('user_initials');
4     $results = $wpdb->get_results( "SELECT * FROM {$wpdb->prefix}users WHERE `user_nicename` LIKE '%{$user_initials}%'", ARRAY_A );
5     
6     $return = array('status'=>1,'message'=>'','users'=>array());
7     if(!empty($results)){
8     foreach($results as $result){
9     $return['users'][]=apply_filters('wplms_api_search_users_in_chat',array(
10     'name'=> bp_core_get_user_displayname($result['ID']),
11     'id'=> intval($result['ID']),
12     'image'=> bp_core_fetch_avatar(array('item_id' => $result['ID'],'type'=>'thumb', 'html' => false)),
13     'type'=> (user_can(intval($result['ID']),'manage_options')?_x('Administrator','Chat search result user type','wplms'):(user_can($result['ID'],'edit_posts')?_x('Instructor','Chat search result user type','wplms'):_x('Student','Chat search result user type','wplms')))
14     ));
15     }
16     }else{
17     $return = array('status'=> 0,'message'=>_x('No user found !','Chat search result','wplms'),'users'=>array());
18     }
19     
20     }

 

3.3 CVE-2024-56039 [6][7]

[사진 3] CVE-2024-56039

- VibeBP에서 발생하는 SQL Injection 취약점 (CVSS: 9.3)

영향받는 버전 : VibeBP < 1.9.9.7.7

 

- include/buddypress/class-api-settings-controller.php의 get_avatar()에 취약점 존재
> json/vbp/v1/avatar의 REST 엔드포인트를 처리
> REST 엔드포인트 자체에서는 commissions_request_validate()를 통해 사용자 권한을 확인

 

> Line3 ~ Line4 : 클라이언트로부터 전달받은 요청의 Body를 JSON으로 디코딩 및 재귀적으로 필터링한 후 $body에 할당
> Line33 : $body['ids']['item_id']를 포함해 SQL 쿼리 실행 및 결과를 $name에 할당

 

- $body 값에 대한 적절한 검증 없이 get_var()에 포함되어 SQL 쿼리에 사용되므로, SQL Injection 취약점이 발생

includes/buddypress/class-api-settings-controller.php, function get_avatar()
1     function get_avatar($request){
2     
3     $body = json_decode($request->get_body(),true);
4     $body = vibebp_recursive_sanitize_text_field($body);
5     $name = '';
6     $avatar= '';
7     $key='';
8     $type = '';
9     if(!empty($body['type'])){$type=$body['type'];}
10     switch($type){
11     case 'friends':
12     
13     $key = 'user_'.$body['ids']['item_id'];
14     $avatar = bp_core_fetch_avatar(array(
15     'item_id' => (int)$body['ids']['item_id'],
16     'object'  => 'user',
17     'type'=>'thumb',
18     'html'    => false
19     ));
20     $name = bp_core_get_user_displayname($body['ids']['item_id']);
21     
22     
23     break;
24     case 'group':
25     $key = 'group_'.$body['ids']['item_id'];
26     $avatar = bp_core_fetch_avatar(array(
27     'item_id' => (int)$body['ids']['item_id'],
28     'object'  => 'group',
29     'type'=>'thumb',
30     'html'    => false
31     ));
32     global $wpdb,$bp;
33     $name = $wpdb->get_var("SELECT name from {$bp->groups->table_name} WHERE id=".$body['ids']['item_id']);
34     ------------- CUT HERE -------------

 

3.4 CVE-2024-56041 [8][9]

[사진 4] CVE-2024-56041

- VibeBP에서 발생하는 SQL Injection 취약점

영향받는 버전 : VibeBP < 1.9.9.5.1

 

- include/buddypress/class-api-messages-controller.php의 remove_message_label()에 취약점 존재
> json/vbp/v1/messages/label/remove의 REST 엔드포인트를 처리

 

> Line2 ~ Line3 : 클라이언트로부터 전달받은 요청의 Body를 JSON으로 디코딩 및 재귀적으로 필터링한 후 $body에 할당
> Line14 및 Line16 : $body['slug']를 $slug에 할당한 후 이를 포함해 SQL 쿼리 실행 및 결과를 $labels_count에 할당

 

- $slug 값에 대한 적절한 검증 없이 get_results()에 포함되어 SQL 쿼리에 사용되므로, SQL Injection 취약점이 발생

includes/buddypress/class-api-messages-controller.php, function remove_message_label()
1     function remove_message_label($request){
2     $body = json_decode($request->get_body(),true);
3     $body = vibebp_recursive_sanitize_text_field($body);
4     $labels = get_user_meta($this->user->id,'vibebp_message_labels',true);
5     if(!empty($labels)){
6     $remove = 0;
7     foreach($labels as $k=>$l){
8     if($l['slug'] === $body['slug']){
9     $remove = $k;
10     break;
11     }
12     }
13     $label_key = 'vibebp_label_'.$this->user->id;
14     $slug = $body['slug'];
15     global $wpdb,$bp;
16     $labels_count = $wpdb->get_results("DELETE FROM {$bp->messages->table_name_meta} WHERE meta_key = '$label_key' AND meta_value = '$slug'");
17     unset($labels[$remove]);
18     update_user_meta($this->user->id,'vibebp_message_labels',$labels);
19     }
20     
21     return new WP_REST_Response( array('status'=>1,'labels'=>$labels,'message'=>_x('Label removed.','message','vibebp')), 200 ); 
22     }

4. 대응방안

- 벤더사 제공 업데이트 적용 [10][11]
> WPLMS Plugin 1.9.9.5.3
> Vibebp 1.9.9.7.7
> 관련된 변수 및 코드에 적절한 이스케이프를 적용

5. 참고

[1] https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wplms-and-vibebp-plugins/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-56042
[3] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-unauthenticated-sql-injection-vulnerability
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-56047
[5] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-subscriber-sql-injection-vulnerability
[6] https://nvd.nist.gov/vuln/detail/CVE-2024-56039
[7] https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-7-7-unauthenticated-sql-injection-vulnerability
[8] https://nvd.nist.gov/vuln/detail/CVE-2024-56041
[9] https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-5-1-sql-injection-vulnerability
[10] https://wplms.io/support/knowledge-base/vibebp-1-9-9-7-7-wplms-plugin-1-9-9-5-2/
[11] https://asec.ahnlab.com/ko/85311/

'취약점 > Injection' 카테고리의 다른 글

WordPress Fancy Product Designer SQL Injection 취약점 (CVE-2024-51818, CVE-2024-51919)  (0) 2025.01.10
Four-Faith 산업용 라우터 OS 명령 주입 취약점 (CVE-2024-12856)  (0) 2025.01.04
공항 보안 우회가 가능한 SQL Injection 취약점  (5) 2024.10.14
Ivanti Endpoint Manager(EPM) SQL Injection (CVE-2024-29824)  (1) 2024.10.05
Ivanti Cloud Service Appliance OS Command Injection (CVE-2024-8190)  (0) 2024.09.23

1. WPLMS 플러그인 (WordPress Learning Management System)

- WordPress를 사용해 LMS를 구축할 수 있도록 돕는 플러그인

※ Learning Management System : 학습 관리 시스템, 온라인으로 학생들의 학습을 관리할 수 있게 해주는 소프트웨어

2. VibeBP (Vibe BuddyPress Plugin)

- WPLMS와 함께 사용되는 플러그인으로, 강력한 소셜 네트워킹 및 회원 관리 기능을 제공

3. 취약점

3.1 CVE-2024-56043 [2][3]

[사진 1] CVE-2024-56043

- WPLMS의 잘못된 권한 할당으로 인한 권한 상승 취약점 (CVSS: 9.8)

영향받는 버전 : WPLMS <= 1.9.9

 

- includes/vibe-shortcodes/ajaxcalls.php의 wplms_register_user()에 취약점 존재

> wp_ajax_nopriv_wplms_register_user()에 의해 호출되어, 사용자 등록(≒ 회원가입)을 처리하는 함수
> Line7 : 사용자 입력인 $_POST['settings'] 값을 JSON으로 디코딩하여 $settings에 할당
> Line59 ~ Line62 : $setting 객체의 id 값을 확인해 default_role인 경우 $setting 객체의 value 값을 $user_args['role']에 할당
> Line100 : wp_insert_user($user_args)를 사용해 새로운 사용자 생성

※ WordPress의 default_role은 6가지의 값을 가짐 : Super Admin, Administrator, Editor, Author, Contributor, Subscriber [4]

 

- 사용자 입력으로 전달된 default_role에 대한 검증 없이 user_args['role']에 할당되므로, 임의의 역할을 지정해 권한을 상승(Super Admin, Administrator)할 수 있음

includes/vibe-shortcodes/ajaxcalls.php, function wplms_register_user()
1     function wplms_register_user(){
2         if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'bp_new_signup') || !isset($_POST['settings'])){
3             echo '<div class="message">'.__('Security check Failed. Contact Administrator.','wplms').'</div>';
4             die();
5         }
6         $flag = 0;
7         $settings = json_decode(stripslashes($_POST['settings']));
8         if(empty($settings)){
9             $flag = 1; 
10         }
11     ------------- CUT HERE -------------
12     
13         $user_args = $user_fields = $save_settings = array();
14     
15         if(empty($flag)){
16     
17     ------------- CUT HERE -------------
18     
19             foreach($settings as $setting){
20     
21                 if(!empty($setting->id)){
22                     $settings2[] = $setting->id;
23                     if($setting->id == 'signup_username'){
24                         $user_args['user_login'] = $setting->value;
25                     }else if($setting->id == 'signup_email'){
26                         $user_args['user_email'] = $setting->value;
27                     }else if($setting->id == 'signup_password'){
28                         $user_args['user_pass'] = $setting->value;
29                     }else{
30                         if(strpos($setting->id,'field') !== false){
31     
32                             $f = explode('_',$setting->id);
33                             $field_id = $f[1]; 
34                             if(strpos($field_id, '[')){ //checkbox
35                                 $v = str_replace('[','',$field_id);
36                                 $v = str_replace(']','',$v);
37                                 $field_id = $v;
38                                 if(is_Array($user_fields[$field_id]['value'])){
39                                     $user_fields[$field_id]['value'][] = $setting->value;
40                                 }else{
41                                     $user_fields[$field_id] = array('value'=>array($setting->value));
42                                 }
43                             }else{
44                                 if(is_numeric($field_id) && !isset($f[2])){
45                                     $user_fields[$field_id] = array('value'=>$setting->value);
46                                 }else{
47                                     if(in_array($f[2],array('day','month','year'))){
48                                         $user_fields['field_' . $field_id . '_'.$f[2]] = $setting->value;
49                                     }else{
50                                         $user_fields[$field_id]['visibility']=$setting->value;    
51                                     }
52                                 }
53                             }
54                             
55                         }else{
56                             if(isset($form_settings[$setting->id])){
57                             
58                                 $form_settings[$setting->id] = 0; // use it for empty check 
59                                 if($setting->id=='default_role'){
60                                     $save_settings[$setting->id]=$setting->value;
61                                     $user_args['role'] = $setting->value;
62                                 }
63                                 if($setting->id=='member_type'){
64                                     $save_settings[$setting->id]=$setting->value;
65                                     $member_type=$setting->value;
66                                 }
67                                 if($setting->id=='wplms_user_bp_group'){
68                                     if(in_array($setting->value,$reg_form_settings['settings']['wplms_user_bp_group']) || $reg_form_settings['settings']['wplms_user_bp_group'] === array('enable_user_select_group')){
69                                         $save_settings[$setting->id]=$setting->value;
70                                         $wplms_user_bp_group = $setting->value;
71                                     }else{
72                                         echo '<div class="message_wrap"><div class="message error">'._x('Invalid Group selection','error message when group is not valid','wplms').'<span></span></div></div>';
73                                         die();
74                                     }
75                                     
76                                 }
77                             }
78                             
79                         }
80                     }
81                 }
82             }
83             if(!in_array('wplms_user_bp_group', $settings2)){
84                 if(!empty($reg_form_settings['settings']['wplms_user_bp_group']) && is_array($reg_form_settings['settings']['wplms_user_bp_group']) && $reg_form_settings['settings']['wplms_user_bp_group'] !== array('enable_user_select_group') && count($reg_form_settings['settings']['wplms_user_bp_group'])==1){
85                     $wplms_user_bp_group = $reg_form_settings['settings']['wplms_user_bp_group'][0];
86                 }
87             }
88         }
89     
90     ------------- CUT HERE -------------
91     
92         /*
93         FORM SETTINGS
94         */
95         if(empty($form_settings['hide_username'])){
96             $user_args['user_login'] = $user_args['user_email'];
97         }
98         $user_id = 0;
99         if(empty($form_settings['skip_mail'])){
100             $user_id = wp_insert_user($user_args);
101     
102     ------------- CUT HERE -------------

 

3.2 CVE-2024-56048 [5][6]

[사진 2] CVE-2024-56048

- WPLMS의 권한 검증 누락으로 인한 권한 확대 취약점

영향받는 버전 : WPLMS <= 1.9.9

 

- include/vibe-customtypes/includes/musettings.php의 update_license_key()에 취약점 존재
> Line2 ~ Line5 : 해당 요청이 WordPress 내에서 생성된 유효한 요청인지 확인
> Line6 ~ Line9 : $_POST['addon'] 및 $_POST['key'] 값이 비어있지 않은지 확인
> Line10 : $_POST['addon'] 및 $_POST['key'] 값을 사용해 옵션 값 업데이트

 

각 값에 대한 검증이 누락되어, 권한을 확대할 수 있음
> wp_verify_nonce()에 사용되는 nonce 값은 인증된 사용자의 경우 누구나 검증 우회 가능
> $_POST['addon'] 및 $_POST['key'] 값이 비어있는지만 검증 하므로 임의의 값을 전달할 수 있음
> $_POST['addon'] 및 $_POST['key'] 값을 사용해 원하는 만큼 검증 없이 옵션 값 업데이트 가능

includes/vibe-customtypes/includes/musettings.php, function update_license_key()
1     function update_license_key(){
2     if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'security')){
3     _e('Security check Failed. Contact Administrator.','wplms');
4     die();
5     }
6     if(empty($_POST['addon']) || empty($_POST['key'])){
7     _e('Unable to update key.','wplms');
8     die();
9     }
10     update_option($_POST['addon'],$_POST['key']);
11     echo apply_filters('wplms_addon_license_key_updated',__('Key Updated.','wplms'));
12     die();
13     }

 

3.3 CVE-2024-56040 [7][8]

[사진 3] CVE-2024-56040

- VibeBP의 잘못된 권한 할당으로 인한 권한 상승 취약점 (CVSS: 9.8)

영향받는 버전 : VibeBP <= 1.9.9.4.1

 

- includes/class.ajax.php의 vibebp_register_user()에 취약점 존재
> wp_ajax_nopriv_wplms_register_user()에 의해 호출되어, 사용자 등록(≒ 회원가입)을 처리하는 함수
> Line7 : 사용자 입력인 $_POST['settings'] 값을 JSON으로 디코딩하여 $settings에 할당
> Line60 ~ Line63 : $setting 객체의 id 값을 확인해 default_role인 경우 $setting 객체의 value 값을 $user_args['role']에 할당
> Line138 : wp_insert_user($user_args)를 사용해 새로운 사용자 생성

 

- 사용자 입력으로 전달된 default_role에 대한 검증 없이 user_args['role']에 할당되므로, 임의의 역할을 지정해 권한을 상승(Super Admin, Administrator)할 수 있음

includes/class.ajax.php, function vibebp_register_user()
1     function vibebp_register_user(){
2         if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'bp_new_signup') || !isset($_POST['settings'])){
3             echo '<div class="message">'.__('Security check Failed. Contact Administrator.','wplms').'</div>';
4             die();
5         }
6         $flag = 0;
7         $settings = json_decode(stripslashes($_POST['settings']));
8         if(empty($settings)){
9             $flag = 1; 
10         }
11     
12     ------------- CUT HERE -------------
13     
14         $user_args = $user_fields = $save_settings = array();
15     
16         if(empty($flag)){
17     
18     ------------- CUT HERE -------------
19     
20             foreach($settings as $setting){
21     
22                 if(!empty($setting->id)){
23                     $settings2[] = $setting->id;
24                     if($setting->id == 'signup_username'){
25                         $user_args['user_login'] = $setting->value;
26                     }else if($setting->id == 'signup_email'){
27                         $user_args['user_email'] = $setting->value;
28                     }else if($setting->id == 'signup_password'){
29                         $user_args['user_pass'] = $setting->value;
30                     }else{
31                         if(strpos($setting->id,'field') !== false){
32     
33                             $f = explode('_',$setting->id);
34                             $field_id = $f[1]; 
35                             if(strpos($field_id, '[')){ //checkbox
36                                 $v = str_replace('[','',$field_id);
37                                 $v = str_replace(']','',$v);
38                                 $field_id = $v;
39                                 if(is_Array($user_fields[$field_id]['value'])){
40                                     $user_fields[$field_id]['value'][] = $setting->value;
41                                 }else{
42                                     $user_fields[$field_id] = array('value'=>array($setting->value));
43                                 }
44                             }else{
45                                 if(is_numeric($field_id) && !isset($f[2])){
46                                     $user_fields[$field_id] = array('value'=>$setting->value);
47                                 }else{
48                                     if(in_array($f[2],array('day','month','year'))){
49                                         $user_fields['field_' . $field_id . '_'.$f[2]] = $setting->value;
50                                     }else{
51                                         $user_fields[$field_id]['visibility']=$setting->value;    
52                                     }
53                                 }
54                             }
55                             
56                         }else{
57                             if(isset($form_settings[$setting->id])){
58                             
59                                 $form_settings[$setting->id] = 0; // use it for empty check 
60                                 if($setting->id=='default_role'){
61                                     $save_settings[$setting->id]=$setting->value;
62                                     $user_args['role'] = $setting->value;
63                                 }
64                                 if($setting->id=='member_type'){
65                                     $save_settings[$setting->id]=$setting->value;
66                                     $member_type=$setting->value;
67                                 }
68                                 if($setting->id=='vibebp_user_bp_group'){
69                                     if(in_array($setting->value,$reg_form_settings['settings']['vibebp_user_bp_group']) || $reg_form_settings['settings']['vibebp_user_bp_group'] === array('enable_user_select_group')){
70                                         $save_settings[$setting->id]=$setting->value;
71                                         $vibebp_user_bp_group = $setting->value;
72                                     }else{
73                                         echo '<div class="message_wrap"><div class="message error">'._x('Invalid Group selection','error message when group is not valid','wplms').'<span></span></div></div>';
74                                         die();
75                                     }
76                                     
77                                 }
78                             }
79                             
80                         }
81                     }
82                 }
83             }
84             if(!in_array('vibebp_user_bp_group', $settings2)){
85                 if(!empty($reg_form_settings['settings']['vibebp_user_bp_group']) && is_array($reg_form_settings['settings']['vibebp_user_bp_group']) && $reg_form_settings['settings']['vibebp_user_bp_group'] !== array('enable_user_select_group') && count($reg_form_settings['settings']['vibebp_user_bp_group'])==1){
86                     $vibebp_user_bp_group = $reg_form_settings['settings']['vibebp_user_bp_group'][0];
87                 }
88             }
89         }
90     
91     
92     
93         $user_args = apply_filters('vibebp_register_user_args',$user_args);
94         
95     
96         //hook for validations externally
97         do_action('vibebp_custom_registration_form_validations',$name,$settings,$all_form_settings,$user_args);
98         do_action('wplms_custom_registration_form_validations',$name,$settings,$all_form_settings,$user_args);
99     
100         /*
101         RUN CONDITIONAL CHECKS
102         */
103         $check_filter = filter_var($user_args['user_email'], FILTER_VALIDATE_EMAIL); // PHP 5.3
104         if(empty($user_args['user_email']) || empty($user_args['user_pass']) || empty($check_filter)){
105             echo '<div class="message_wrap"><div class="message error">'._x('Invalid Email/Password !','error message when registration form is empty','wplms').'<span></span></div></div>';
106             die();
107         }
108     
109         //Check if user exists
110         if(!isset($user_args['user_email']) || email_exists($user_args['user_email'])){
111             echo '<div class="message_wrap"><div class="message error">'._x('Email already registered.','error message','wplms').'<span></span></div></div>';
112             die();
113         }
114     
115         //Check if user exists
116         if(!isset($user_args['user_login'])){
117     
118             $user_args['user_login'] = $user_args['user_email'];
119             if(email_exists($user_args['user_login'])){
120                 echo '<div class="message_wrap"><div class="message error">'._x('Username already registered.','error message','wplms').'<span></span></div></div>';
121                 die();
122             }
123         }elseif (username_exists($user_args['user_login'])){
124             echo '<div class="message_wrap"><div class="message error">'._x('Username already registered.','error message','wplms').'<span></span></div></div>';
125             die();
126         }
127         
128     ------------- CUT HERE -------------
129     
130         /*
131         FORM SETTINGS
132         */
133         if(empty($form_settings['hide_username'])){
134             $user_args['user_login'] = $user_args['user_email'];
135         }
136         $user_id = 0;
137         if(empty($form_settings['skip_mail'])){
138             $user_id = wp_insert_user($user_args);
139     
140     ------------- CUT HERE -------------

4. 대응방안

- 벤더사 제공 업데이트 적용 [9][10]
> WPLMS Plugin 1.9.9.5.3
> Vibebp 1.9.9.7.7

> 사용자가 등록할 수 있는 역할을 제한하는 패치 적용
> 추가 권한 검사를 구현하고 업데이트할 수 있는 옵션 이름에 대한 허용 목록 검사 적용

5. 참고

[1] https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wplms-and-vibebp-plugins/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-56043
[3] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-privilege-escalation-vulnerability
[4] https://developer.wordpress.org/plugins/users/roles-and-capabilities/
[5] https://nvd.nist.gov/vuln/detail/CVE-2024-56048
[6] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-arbitrary-option-update-to-privilege-escalation-vulnerability
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-56040
[8] https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-4-1-unauthenticated-privilege-escalation-vulnerability
[9] https://wplms.io/support/knowledge-base/vibebp-1-9-9-7-7-wplms-plugin-1-9-9-5-2/
[10] https://asec.ahnlab.com/ko/85311/

'취약점 > Elevation of Privilege' 카테고리의 다른 글

Kubernetes Image Builder 기본 자격 증명 비활성화 취약점 (CVE-2024-9486, CVE-2024-9594)  (1) 2024.10.18
Ivanti 권한 상승 취약점 (CVE-2024-21888, CVE-2024-21893)  (1) 2024.02.15
Cisco IOS XE Software Web UI 권한 상승 취약점 (CVE-2023-20198)  (1) 2023.10.17
WordPress WooCommerce Payments 플러그인 권한 상승 취약점 (CVE-2023-28121)  (0) 2023.07.18
Microsoft Outlook 권한 상승 취약점 (CVE-2023-23397)  (0) 2023.03.21

1. WPLMS 플러그인 (WordPress Learning Management System)

- WordPress를 사용해 LMS를 구축할 수 있도록 돕는 플러그인

※ Learning Management System : 학습 관리 시스템, 온라인으로 학생들의 학습을 관리할 수 있게 해주는 소프트웨어

2. 취약점

2.1 CVE-2024-56046 [2][3]

[사진 1] CVE-2024-56046

- WPLMS에서 발생하는 파일 업로드 취약점 (CVSS: 10.0)

영향받는 버전 : WPLMS <= 1.9.9

 

- includes/vibe-shortcodes/shortcodes.php의 wplms_form_uploader_plupload()에 취약점 존재
> Line9 : $_REQUEST["name"] 값을 우선적으로 $fileName에 할당하며, 해당 값이 없을 경우 $_FILES["file"]["name"] 값을 사용
> Line17 : $fileName은 파일 저장 경로를 결정하는데 사용됨

 

- name 파라미터는 사용자 요청으로부터 추출 (Line9)
> 해당 값에 대한 검증 없이 사용하여 악의적인 파일(Ex. "../../../attack.php")을 사용해 파일을 업로드할 수 있음

 

- $fileName을 기반으로 서버의 특정 경로에 저장
> 해당 값에 대한 검증이 없어 임의 디렉터리에 악의적인 파일을 업로드할 수 있음

includes/vibe-shortcodes/shortcodes.php, function wplms_form_uploader_plupload()
1     function wplms_form_uploader_plupload(){
2       check_ajax_referer('wplms_form_uploader_plupload');
3     
4       if (empty($_FILES) || $_FILES['file']['error']) {
5           die('{"OK": 0, "info": "Failed to move uploaded file."}');
6       }
7       $chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;
8       $chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 0;
9       $fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : $_FILES["file"]["name"];
10     
11       $upload_dir_base = wp_upload_dir();
12       $folderPath = $upload_dir_base['basedir']."/wplms_form_uploader";
13       if(function_exists('is_dir') && !is_dir($folderPath)){
14           if(function_exists('mkdir')) 
15               mkdir($folderPath, 0755, true) || chmod($folderPath, 0755);
16       }
17       $filePath = $folderPath."/$fileName";
18     
19       // Open temp file
20       if($chunk == 0) 
21           $perm = "wb" ;
22       else 
23           $perm = "ab";
24     
25       $out = @fopen("{$filePath}.part",$perm );
26     
27       if ($out) {
28         // Read binary input stream and append it to temp file
29         $in = @fopen($_FILES['file']['tmp_name'], "rb");
30         
31         if ($in) {
32           while ($buff = fread($in, 4096))
33             fwrite($out, $buff);
34         } else
35           die('{"OK": 0, "info": "Failed to open input stream."}');
36         
37         @fclose($in);
38         @fclose($out);
39         
40         @unlink($_FILES['file']['tmp_name']);
41       } else
42         die('{"OK": 0, "info": "Failed to open output stream."}');
43     
44       // Check if file has been uploaded
45       if (!$chunks || $chunk == $chunks - 1) {
46         // Strip the temp .part suffix off
47           rename("{$filePath}.part", $filePath);
48           
49       }
50       die('{"OK": 1, "info": "Upload successful."}');
51       exit;
52     }

 

2.2 CVE-2024-56050 [4][5]

[사진 2] CVE-2024-56050

- WPLMS에서 발생하는 파일 업로드 취약점 (CVSS: 9.9)

영향받는 버전 : WPLMS < 1.9.9.5.3

 

- includes/vibe-shortcodes/upload_handler.php의 wp_ajax_zip_upload()에 취약점 존재
> Line4 ~ Line8 : 사용자 요청에서 값을 추출해 변수 할당
> Line18 ~ Line19 : Zip 파일 내 다른 파일이 있는 경우 extractZip()을 통해 파일 내 모든 내용을 추출
> 사용자 요청에서 추출한 값을 검증없이 사용하여 취약점 발생

 

extractZip()
> Line6 : extractTo()를 사용해 Zip 파일내 모든 파일을 $target 디렉터리에 추출
파일에 대한 검증없이 추출되어 취약점 발생
> attack.php 등의 악의적 파일을 포함한 Zip 파일을 업로드할 수 있는 문제 발생

includes/vibe-shortcodes/upload_handler.php, function wp_ajax_zip_upload()
1     function wp_ajax_zip_upload(){
2     $arr = array();
3     
4     $file = $_FILES['uploadedfile']['tmp_name'];
5     $dir = explode(".",$_FILES['uploadedfile']['name']);
6     $dir[0] = str_replace(" ","_",$dir[0]);
7     $target = $this->getUploadsPath().$dir[0];
8     $index = count($dir) -1;
9     
10     if (!isset($dir[$index]) || $dir[$index] != "zip")
11     $arr[0] = __('The Upload file must be zip archive','wplms');
12     else{
13     while(file_exists($target)){
14     $r = rand(1,10);
15     $target .= $r;
16     $dir[0] .= $r;
17     }
18     if (!empty($file))
19     $arr = $this->extractZip($file,$target,$dir[0]);
20     else
21     $arr[0] = __('File too big','wplms');
22     }
23     echo json_encode($arr);
24     die();
25     }

includes/vibe-shortcodes/upload_handler.php, function extractZip()
1     function extractZip($fileName,$target,$dir){
2     $arr = array();
3     $zip = new ZipArchive;
4     $res = $zip->open($fileName);
5     if ($res === TRUE) {
6     $zip->extractTo($target);
7     $zip->close();
8     $file = $this->getFile($target);
9     ;
10     if($file){
11     $arr[0] = 'uploaded'; 
12     $arr[1] = $this->getUploadsUrl().$dir."/".$file; 
13     $arr[2] = $dir;
14     $arr[3] =$file;
15     $arr[4] = $this->getUploadsPath().$dir; 
16     }else{
17     $arr[0] = __('Please upload zip file, Index.html file not found in package','wplms').$target.print_r($file);
18     $this->rrmdir($target);
19     }
20     }else{
21     $arr[0] = __('Upload failed !','wplms');;
22     }
23     return  $arr;
24     }

 

2.3 CVE-2024-56052 [6][7]

[사진 3] CVE-2024-56052

- WPLMS에서 발생하는 파일 업로드 취약점 (CVSS: 9.9)

영향받는 버전 : WPLMS < 1.9.9.5.3

 

- includes/assignments/assignments.php의 wplms_assignment_plupload()에 취약점 존재
> Line2 ~ Line4 : WordPress 내에서 생성된 요청인지와 로그인 유무를 검증
> Line18 : $user_id 및 $assignment_id를 기반으로 $folderPath 생성

 

- $assignment_id에 대한 유효성 검증이 없어 임의 디렉터리에 악의적인 파일을 업로드할 수 있음

includes/assignments/assignments.php, function wplms_assignment_plupload()
1     function wplms_assignment_plupload(){
2       check_ajax_referer('wplms_assignment_plupload');
3       if(!is_user_logged_in())
4           die('user not logged in');
5     
6       $user_id = get_current_user_id();
7       
8       if (empty($_FILES) || $_FILES['file']['error']) {
9         die('{"OK": 0, "info": "Failed to move uploaded file."}');
10       }
11     
12       $chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;
13       $chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 0;
14       $fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : $_FILES["file"]["name"];
15       
16       $upload_dir_base = wp_upload_dir();
17       $assignment_id = $_POST['assignment_id'];
18       $folderPath = $upload_dir_base['basedir']."/wplms_assignments_folder/".$user_id.'/'.$assignment_id;
19       if(function_exists('is_dir') && !is_dir($folderPath)){
20           if(function_exists('mkdir')) 
21               mkdir($folderPath, 0755, true) || chmod($folderPath, 0755);
22       }
23     
24     
25       $filePath = $folderPath."/$fileName";
26         /*if(function_exists('file_exists') && file_exists($filePath)){
27           echo __(' Chunks upload error ','wplms'). $fileName.__(' already exists.Please rename your file and try again ','wplms');
28           die();
29         }*/
30       // Open temp file
31       if($chunk == 0) $perm = "wb" ;
32       else $perm = "ab";
33     
34       $out = @fopen("{$filePath}.part",$perm );
35     
36       if ($out) {
37         // Read binary input stream and append it to temp file
38         $in = @fopen($_FILES['file']['tmp_name'], "rb");
39         
40         if ($in) {
41           while ($buff = fread($in, 4096))
42             fwrite($out, $buff);
43         } else
44           die('{"OK": 0, "info": "Failed to open input stream."}');
45         
46         @fclose($in);
47         @fclose($out);
48         
49         @unlink($_FILES['file']['tmp_name']);
50       } else
51         die('{"OK": 0, "info": "Failed to open output stream."}');
52         
53         
54       // Check if file has been uploaded
55       if (!$chunks || $chunk == $chunks - 1) {
56         // Strip the temp .part suffix off
57           rename("{$filePath}.part", $filePath);
58           
59       }
60       die('{"OK": 1, "info": "Upload successful."}');
61       exit;
62     }

3. 대응방안

- 벤더사 제공 업데이트 적용 [8][9]
> WPLMS Plugin 1.9.9.5.3

> 파일 이름과 유형을 확인하여 업로드할 수 있는 파일을 제한하는 패치 적용
> 영향을 받는 기능에 대한 추가 권한 확인을 구현하거나 영향을 받는 코드 제거

4. 참고

[1] https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wplms-and-vibebp-plugins/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-56046
[3] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-arbitrary-file-upload-vulnerability
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-56050
[5] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-subscriber-arbitrary-file-upload-vulnerability
[6] https://nvd.nist.gov/vuln/detail/CVE-2024-56052
[7] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-student-arbitrary-file-upload-vulnerability
[8] https://wplms.io/support/knowledge-base/vibebp-1-9-9-7-7-wplms-plugin-1-9-9-5-2/
[9] https://asec.ahnlab.com/ko/85311/

'취약점 > File Up&Download, Inclusion' 카테고리의 다른 글

Apache Struts 임의 파일 업로드 취약점 (CVE-2024-53677)  (0) 2024.12.19
Cleo 제품 임의 파일 읽기/쓰기 취약점 (CVE-2024-50623)  (0) 2024.12.15
Apache Struts 파일 업로드 취약점 (CVE-2023-50164)_내용추가  (1) 2023.12.18
이니텍 INISAFE CrossWeb EX V3 파일 다운로드 취약점  (0) 2023.03.31
VMware vCenter Server 파일 업로드 취약점 (CVE-2021-21972)  (0) 2023.01.15

+ Recent posts

티스토리툴바