Unyson WordPress framework full path disclosure vulnerability

unyson
Posted on 2018-07-22

About Unyson

Unyson is a free drag & drop framework that comes with a bunch of built in extensions that will help you develop premium themes for WordPress fast & easy. As of mid 2018, the plugin boasts with more than 100,000 active installations.

The vulnerability

As most plugins, modules and other pieces of software that comprise a larger system, Unyson has made sure that third-parties would not be able to directly access its individual components (namely the files). This is a common practice as it facilitates the process of securing an application.

However, a FPD (Full Path Disclosure) vulnerability is present in the plugin and it is quite straightforward. The Unyson framework allows for downloading the latest fonts through the load-latest-fonts.php file located in framework/bin/. This file does not utilize a check for whether it is being called from outside the system or within, namely:

<?php if ( ! defined( 'FW' ) ) {
    die( 'Forbidden' );
}


Thus allowing a third-party to remotely access the file directly at a WordPress installation at:

../wp-content/plugins/unyson/framework/bin/load-latest-fonts.php

This is achieved using the download_file() function which also happens to display the $destination variable (that being the account's full path):

function download_file($url, $destination) {
    echo 'downloading ' . $destination . "\n";
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt( $ch, CURLOPT_ENCODING, "UTF-8" );

    $data = curl_exec ($ch);
    $error = curl_error($ch);

    curl_close ($ch);

    $file = fopen($destination, "w+");
    fputs($file, $data);
    fclose($file);
}

Which results in something similar to the following, returned to the remote attacker:

#!/usr/bin/env php
downloading /var/www/html/site/wp-content/plugins/unyson/framework/bin/../static/libs/entypo/css/entypo.css
downloading /var/www/html/site/wp-content/plugins/unyson/framework/bin/../static/libs/entypo/fonts/entypo.eot

The vulnerability affects Unyson versions 2.5.7 to 2.7.18 (including).

The fix

For users already using Unyson, there is some good news. The developers have already published a patch and it is available as of version 2.7.19 which is the latest and can be easily updated to.

Technically speaking, the vulnerability was fixed by adding a condition that verifies whether the file is being called from a CLI environment:

if ( php_sapi_name() != 'cli' ) {
    die();
}

This can also be seen in the latest file version at ThemeFuse's official GitHub repository.

Users are recommended to update their Unyson framework version to the 2.7.19 in order to make sure they are not affected by the vulnerability.

Comments

There are not any published comments yet.

New comment