When it comes to hacking websites most of the time hackers are not interested in targeting specific websites, instead they are just trying to hit as many websites as possible to use for various purposes. That means that many types of vulnerabilites are not much of a threat because hackers are not often trying to exploit them. You still want to make sure those vulnerabilities don’t exist because if someone does target your website, you don’t want to be vulnerable. When it comes to WordPress websites, what seems like it would be one of the most interesting type of website to be the subject of targeted attacks would be website with eCommerce functionality, since there is sensitive data being handled by the website.
One of the more popular eCommerce solutions for WordPress is WooCommerce, which has over 1 million active installs according to wordpress.org (which includes this website). There are also many plugins designed to work with that and each of those things introduces additional security risks. Since we started this service quite a few of those plugins have been found to have security vulnerabilities. We just came across another one.
While looking over some plugins that handle uploads we came across the plugin WooCommerce Upload My File, which allows customers to upload a file beside their order. That obviously introduce a potential risk, since if a hacker could use that to upload a malicious file it could allow them a high level of access to the website. To limit this the plugin restricts the file extensions that can be upload through the plugin, with it defaulting to only allowing jpg and png extensions. The permitted extensions is set on the plugin’s setting page and that is where we found an issue. The setting’s page for the plugin didn’t have protection against cross-site request forgery (CSRF), so that if a hacker could get a logged in admin to visit a page they control the hacker could cause the allowed extensions to be changed so that a .php file could be uploaded. From there they could create an order and then upload .php file with malicious code in it.
The vulnerability existed from version 0.1 to 0.3.9.
Proof of Concept
The following proof of concept will change the allowed file types for the plugin to “jpg,png,php”.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=woocommerce_umf" method="POST"> <input type="hidden" name="umf_fields_submitted" value="submitted" /> <input type="hidden" name="woocommerce_umf_allowed_file_types" value="jpg,png,php" /> <input type="submit" value="Submit" /> </form> </body> </html>
- 6/15/2016 – Developer notified.
- 6/17/2016 – Version 0.4.0 released, which fixes vulnerability.