CVE-2018-7204 in File Manager Plugin
Summary
by MITRE
inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/17/2023
The vulnerability identified as CVE-2018-7204 resides within the Giribaz File Manager plugin for WordPress, specifically in the inc/logger.php component. This issue represents a critical security flaw that demonstrates poor input sanitization and inadequate output protection mechanisms. The plugin's logging functionality was designed to track user activities related to file management operations, but it failed to properly filter or sanitize sensitive data before writing it to persistent storage. The vulnerability manifests when users interact with the plugin's configuration editing capabilities, particularly when modifying the wp-config.php file through the interface.
The technical exploitation of this vulnerability occurs through the plugin's logging mechanism that indiscriminately records all user activities without proper data sanitization. When administrators or users edit the wp-config.php file using the Giribaz File Manager, the entire contents of this critical configuration file are appended to the log.txt file located in the wp-content/uploads/file-manager directory. This log.txt file lacks proper access controls or authentication requirements, making it publicly accessible on the web server. The wp-config.php file contains highly sensitive information including database connection credentials, encryption salts, security keys, and other configuration parameters essential for system security. The vulnerability essentially creates a data exposure scenario where sensitive configuration data becomes accessible through simple web requests.
The operational impact of this vulnerability extends far beyond the immediate scope of the affected plugin, creating a significant risk for WordPress installations. The log.txt file, being stored in the publicly accessible uploads directory, becomes indexed by search engines like Google, providing attackers with an automated method to discover vulnerable sites. This creates a direct pathway for attackers to identify and exploit multiple WordPress installations simultaneously through simple search queries. The vulnerability aligns with CWE-200, which addresses "Information Exposure," and represents a classic example of insecure logging practices where sensitive data is written to accessible storage without proper protection mechanisms. The attack surface is amplified by the fact that these log files can be discovered through Google dorks, a technique commonly used in reconnaissance phases of cyber attacks.
The exploitation of this vulnerability follows established patterns documented in the MITRE ATT&CK framework, particularly under the reconnaissance and credential access phases. Attackers can systematically search for vulnerable WordPress installations using Google dorks targeting the specific log file path, thereby automating the discovery of sensitive information. This approach enables large-scale credential harvesting attacks where attackers can collect database credentials, API keys, and other sensitive parameters from multiple installations. The vulnerability also demonstrates poor application security practices related to privilege separation and data handling, where the plugin fails to implement proper access controls for sensitive logging operations. Organizations using the affected plugin version face significant risks including unauthorized database access, potential data breaches, and compromise of entire WordPress installations.
The recommended mitigations for this vulnerability involve immediate plugin updates to version 5.0.2 or later, where the logging mechanism has been properly implemented to prevent sensitive data exposure. System administrators should also conduct thorough audits of their WordPress installations to identify and remove any existing log files containing sensitive information. Access controls for the uploads directory should be reviewed and strengthened to prevent public access to potentially sensitive files. Additionally, organizations should implement proper logging practices that ensure sensitive data is either filtered out of logs or stored with appropriate access controls. The vulnerability underscores the importance of secure coding practices and proper input validation, particularly when dealing with configuration files that contain sensitive data. Regular security assessments and vulnerability scanning should be implemented to identify similar issues in other plugins and themes that may expose sensitive information through logging mechanisms.