23 May

False Vulnerability Report: CKEditor 4.0 Arbitrary File Upload Exploit

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.

We have recently had requests for a file in the plugin CKEditor for WordPress on one of our websites as part of a series of requests that seem to be looking for use of plugins, likely to then try to exploit them. We couldn’t find any valid reports of vulnerabilities in this plugin, but we did find one false report of a vulnerability that clearly has continued to confuse some people into believing it was real long after its release.

The report from February of 2013 is titled CKEditor 4.0 Arbitrary File Upload Exploit and includes code that is described as allowing to “upload a shell to compromise the system” through the plugin. If take a look at this for a second it becomes clear it is false. The code has you send a request to the file/includes/upload.php in the plugin. If you do that in version 4.0 you will received the following error message

Fatal error: Call to undefined function _e() in [server location]/wp-content/plugins/ckeditor-for-wordpress/includes/upload.php on line 3

Looking at the first three lines of code in the file you can see what is going on:

<div class="wrap">
	<div id="icon-wp-ckeditor" class="icon32"><br /></div>
	<h2><?php _e('CKEditor - Upload Settings', 'ckeditor_wordpress') ?></h2>

The first two are just HTML code and third uses the function _e(), which is part of WordPress, so when accessing this file directory that won’t exist. That leads to the error, so this could not possibly work.

In version code was added to the beginning of the file that stops direct access to the file:

<?php if ( !defined('ABSPATH')){ exit; } // Exit if accessed directly

Going back to version 1.0 the third line has contained the use of the e_() function, so sending a request directly to the file could never had worked.

The other major problem with this is that the file /includes/upload.php doesn’t process uploads at all, instead it contains the code for displaying the Upload Options settings page for the plugin. So we have no idea why someone though this would possibly allow uploading files.

A GitHub Project and the WPScan Vulnerability Database

Somehow all of that didn’t stop from someone from creating a project on Github to exploit the non-existent vulnerability last year. No surprisingly the part where the code to exploit vulnerability would be, it states that “This part is not ready”:

 #TODO: This part is not ready.
 files = {'NewFile': open(file_to_upload, 'rb')}
 r = requests.post(("%s/wp-content/plugins/ckeditor-for-wordpress/includes/upload.php" % website), files=files)
 print r.text

The vulnerability is also listed in WPScan Vulnerability Database despite not actually existing, which is yet another reminder of the pretty serious accuracy issues with their data: