Remote command execution vulnerability in 3.3.16

[PicklerBox]

Go to the edit-theme. PHP file, click the sava Changes button below, and grab the package.


Use.. / to change the edited_file parameter in the request package

Then we access index.php

[PicklerBox]

`if((isset($_POST['submitsave']))){

# check for csrf
if (!defined('GSNOCSRF') || (GSNOCSRF == FALSE) ) {
	$nonce = $_POST['nonce'];
	if(!check_nonce($nonce, "save")) {
		die("CSRF detected!");
	}
}

# save edited template file
$SavedFile = $_POST['edited_file'];
$FileContents = get_magic_quotes_gpc() ? stripslashes($_POST['content']) : $_POST['content'];	
$fh = fopen(GSTHEMESPATH . $SavedFile, 'w') or die("can't open file");
fwrite($fh, $FileContents);
fclose($fh);
$success = sprintf(i18n_r('TEMPLATE_FILE'), $SavedFile);

}`
The savedFile and FileContents parameters are not filtered, so you can write files across directories

[tablatronix]

Thanks, looks like this was not completely back-patched from 3.4

[risingisland]

Is there a fix/patch for this that can be applied?
Example code or Pull Request?

[tablatronix]

This looks easy, just check the same code in 3.4 and backport it

	# save edited template file
	$SavedFile = $_POST['edited_file'];
	if(!filepath_is_safe($themepath.$SavedFile,GSTHEMESPATH,true)) die();	 // mitigation check
	$FileContents = get_magic_quotes_gpc() ? stripslashes($_POST['content']) : $_POST['content'];