Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165779 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::rmdir
Risk _POST
/realtyna-provisioning/app/includes/menus/dashboard.php:347 (show/hide source)
327              );
328  
329              $this->response(array(
330                  'success' => 0,
331                  'messages' => $messages,
332              ));
333          }
334      }
335  
336      public function install()
337      {
338          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
339          $package_id = isset($_POST['id']) ? $_POST['id'] : 0;
340  
341          // Check if nonce is not set
342          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
343  
344          // Verify that the nonce is valid.
345          if(!wp_verify_nonce($wpnonce, 'rtprov-install-do-'.$package_id)) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
346  
347 $package = isset($_POST['package']) ? $_POST['package'] : NULL;
348 $destination = str_replace('package.zip', '', $package); 349
Threat level 1

Callstack:

RTPROV_Folder::delete /realtyna-provisioning/app/includes/folder.php:65 (show/hide source)
45      {
46          return is_dir($path);
47      }
48  
49      public static function create($path, $mode = 0755)
50      {
51          return mkdir($path, $mode);
52      }
53  
54      public static function delete($path)
55      {
56          if(substr($path, strlen($path) - 1, 1) != '/') $path .= '/';
57  
58          $files = glob($path.'*', GLOB_MARK);
59          foreach($files as $file)
60          {
61              if(is_dir($file)) RTPROV_Folder::delete($file);
62              else unlink($file);
63          }
64  
65 return rmdir($path);
66 } 67
RTPROV_Menus_Dashboard::install /realtyna-provisioning/app/includes/menus/dashboard.php:357 (show/hide source)
337      {
338          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
339          $package_id = isset($_POST['id']) ? $_POST['id'] : 0;
340  
341          // Check if nonce is not set
342          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
343  
344          // Verify that the nonce is valid.
345          if(!wp_verify_nonce($wpnonce, 'rtprov-install-do-'.$package_id)) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
346  
347          $package = isset($_POST['package']) ? $_POST['package'] : NULL;
348          $destination = str_replace('package.zip', '', $package);
349  
350          $file = new RTPROV_File();
351          $extracted = $file->extract($package, $destination);
352  
353          // Extract Failed
354          if(!$extracted)
355          {
356              // Remove the Package
357 RTPROV_Folder::delete($destination);
358 359 $this->response(array(