Javo Themes Spot LFI Vulnerability

Whew, it’s been a while…

I’ve had the misfortune to work with yet another theme from ThemeForest. A $60 premium theme and nothing less! Meet Javo Spot by Javo Themes…

Javo Theme Vulnerability

Within half an hour of fiddling with it, trying to filter the output of their Listings Directory (which ended up being a 5-hour pain-in-the-butt task, which is a story for another day), I came across a glaring unauthenticated Local File Inclusion vulnerability (an LFI for short).

The available listings are cached in JSON format into a file in the uploads directory and then fetched via a GET on the listing archive page and rendered nicely. But there’s a cross-domain mode in the theme that uses JSONP, which allows the contents of the listing file to be output via an AJAX call to WordPress.

This is a responsibility borne upon a function called jvfrm_spot_get_json (javo-spot/library/functions/functions-box-map.php).

/**
 *  Cross Domain Ajax
 *
 * @type    action
 *  @function  jvfrm_spot_get_json
 */
if ( !function_exists( 'jvfrm_spot_get_json' ) ) :
  add_action( 'wp_ajax_jvfrm_spot_get_json', 'jvfrm_spot_get_json' );
  add_action( 'wp_ajax_nopriv_jvfrm_spot_get_json', 'jvfrm_spot_get_json' );
  function jvfrm_spot_get_json() {
    $callback = isset( $_GET[ 'callback' ] ) ? $_GET[ 'callback' ] : '';
    $file_name = isset( $_GET[ 'fn' ] ) ? $_GET[ 'fn' ] : '';
    $upload_folder  = wp_upload_dir();

    if( '' !== $callback && '' !== $file_name )   {
      $json_file    = "{$upload_folder['basedir']}/{$file_name}";
      if( file_exists( $json_file ) )   {
        $content  = file_get_contents( $json_file );
        $output    = "{$callback}({$content})";
        die( $output );
      }
    }
    die;
  }
endif;

So, the jvfrm_spot_get_json AJAX action lets you specify a file you want to fetch (under normal operations it’s the cached listing JSON file) via the $_GET['fn'] request parameter, which then gets tacked onto the uploads directory, read and output…

So by traversing the directory like so: ../../wp-config.php we’re able to get the wp-config.php file (with its database credentials and nonce secrets and authentication salts) or the ../../../../../../../../../../../../etc/passwd file perhaps?

Javo Spot Theme LFI  Vulnerability in action

Javo Spot Theme LFI  Vulnerability

Yes, the above images are from the Javo Themes demo site.

Disclosure

Having responsibly sent the proof-of-vulnerability link to their own site, Javo Themes showed complete lack of understanding:

Thank you for your report.

However, whenever we submit our updates or when it’s released, themeforest reviewers check vulnerability and we don’t have any problems.

If you see the link you gave me, it’s “wp-config.php” file which is not related with our theme. it’s a file of WordPress and it’s for server setting.

…seriously? ?

Mitigation

If you’re unable to update the theme for one reason or another, the current fix is to disable the jvfrm_spot_get_json function by adding the following code to your functions.php file.

add_action( 'init', function() {
  /** Disable LFI-vulnerable AJAX call in Javo Spot Premium WordPress Theme */
  remove_action( 'wp_ajax_jvfrm_spot_get_json', 'jvfrm_spot_get_json' );
  remove_action( 'wp_ajax_nopriv_jvfrm_spot_get_json', 'jvfrm_spot_get_json' );
}, 999 );

Stay safe and good luck out there. This is just one vulnerability in one theme from one vendor on ThemeForest. Are you willing to bet there are more?