Project: Wordpress Plugin Advanced Access Manager 5.9.8

Vulnerability: #9252749 (2019-07-22 10:09:09)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_get_contents
Risk _SERVER
/advanced-access-manager/application/Core/Request.php:73 (show/hide source)
53       *
54       * @access public
55       * @static
56       */
57      public static function request($param = null, $default = null) {
58          return self::readArray($_REQUEST, $param, $default);
59      }
60      
61      /**
62       * Get parameter from global _SERVER array
63       *
64       * @param string $param   SERVER Parameter
65       * @param mixed  $default Default value
66       *
67       * @return mixed
68       *
69       * @access public
70       * @static
71       */
72      public static function server($param = null, $default = null) {
73 return self::readArray($_SERVER, $param, $default);
74 } 75
Threat level 0

Callstack:

AAM_Core_Media::printMedia /advanced-access-manager/application/Core/Media.php:144 (show/hide source)
124          }
125          
126          if (empty($path) || !file_exists($path)) {
127              $path = ABSPATH . $this->request_uri;
128          }
129          
130          //normalize path and strip all unexpected trails. Thanks to Antonius Hegyes
131          $path  = preg_replace('/\?.*$/', '', $path);
132          $rpath = preg_replace('/\?.*$/', '', $this->request_uri);
133          
134          //finally replace the filename with requested filename
135          $request = str_replace(basename($path), basename($rpath), $path);
136          
137          if (empty($mime)) {
138              if (function_exists('mime_content_type')) {
139                  $mime = mime_content_type($request);
140              }
141          }
142          
143          @header('Content-Type: ' . (empty($mime) ? $type : $mime));
144 echo file_get_contents($request);
145 exit; 146 }
AAM_Core_Media::checkMediaAccess /advanced-access-manager/application/Core/Media.php:97 (show/hide source)
77       */
78      protected function checkMediaAccess() {
79          if (apply_filters('aam-media-request', true, $this->request)) {
80              $media = $this->findMedia();
81              $area  = (is_admin() ? 'backend' : 'frontend');
82              
83              if (empty($media)) {
84                  $this->printMedia();
85              } else {
86                  if (!$media->allowed('frontend.read')) {
87                      $args = array(
88                          'hook'   => 'media_read', 
89                          'action' => "{$area}.read", 
90                          'post'   => $media->getPost()
91                      );
92                          
93                      $default = AAM_Core_Config::get('media.default.placeholder');
94                      
95                      if ($default) {
96                          do_action('aam-access-rejected-action', $area, $args);
97 $this->printMedia(get_post($default));
98 } else { 99 AAM_Core_API::reject($area, $args);
AAM_Core_Media::authorize /advanced-access-manager/application/Core/Media.php:62 (show/hide source)
42       * @return void
43       * 
44       * @access protected
45       */
46      protected function __construct() {
47          $media   = filter_input(INPUT_GET, 'aam-media');
48          $request = (is_numeric($media) ? urldecode(AAM_Core_Request::server('REQUEST_URI')) : $media);
49          $root    = AAM_Core_Request::server('DOCUMENT_ROOT');
50          
51          $this->request     = str_replace('\\', '/', $root . $request);
52          $this->request_uri = preg_replace('/\?.*$/', '', $request);
53      }
54      
55      /**
56       * 
57       */
58      public function authorize() {
59          if (AAM_Core_Config::get('core.settings.mediaAccessControl', false)) {
60              $area = AAM_Core_Api_Area::get();
61              if (AAM_Core_Config::get("core.settings.{$area}AccessControl", true)) {
62 $this->checkMediaAccess();
63 } else { 64 $this->printMedia();