CVE-2020-35749 – Authenticated Directory Traversal Simple Job Board WordPress plugin version < 2.9.3

CVE-2020-35749 – Authenticated Directory Traversal Simple Job Board WordPress plugin version < 2.9.3

During our research activities we discovered an authenticated local inclusion in the Simple Job Board WordPress plugin.

The Simple Job Board WordPress plugin has reached over 20,000 active installations and an excellent reputation in terms of reviews, allowing the simple and efficient management of job offers.[1]

Directory traversal allows an attacker to step out of the root directory and have an access to other parts of the file system. This might give the attacker the ability to view restricted files, which could provide the attacker with more information about the operating system and source code itself (download source code files).

Tested on:

– v2.9.3 (latest)

– v2.8.82 – PHP 7.2.21

Working on version > 2.4.3


Authenticated Directory Traversal

The Simple Job Board plugin allows to receive a candidate’s resume for a job offer.

To Each candidate is assigned an application number and the resume is made accessible to an HR user through the following link

https://localhost/wp-admin/post.php?post=application_id&action=edit&resume=application_id

Or with the paid component `Multiple Attachment Fields Add on`[2]

https://localhost/wp-admin/post.php?post=application_id&action=edit&sjb_file=application_id_filename.pdf

Looking for some references of the parameter in the code, we found that the

File : simple-job-board/includes/class-simple_job_board_resume_download_handler.php

Following the field $_GET[‘sjb_file’] it is never sanitized, the esc_attr() function execute only an html encoding [3].

So the $filepath variable at the end contains

$files[‘basedir] (‘/var/www/html/wp-content/uploads/jobpost/2020’) and

$_GET[‘sjb_file’] (filename)

After the basename check an header(‘Location ’.$filepath) is executed, so we can exploit this.

The upload location for the resume is :

`/wp-content/uploads/jobpost/2020/application_id_resume.pdf`

So the following link show how the directory traversal can be exploited going back to the folders:

https://localhost/wp-admin/post.php?post=application_id&action=edit&sjb_file=../../../../wp-config.php

[1] https://wordpress.org/plugins/simple-job-board/

[2] https://market.presstigers.com/product/multiple-attachment-fields-add-on/

[3] https://developer.wordpress.org/reference/functions/esc_attr/

Previous post ownCloud Multiple Vulnerabilities
Next post NotSoSAML – Privilege Escalation via XML Signature Wrapping on MiniorangeSAML Drupal Plugin