13 Sep

Authenticated Arbitrary File Upload Vulnerability in Football Pool

Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an authenticated arbitrary file upload vulnerability in the Football Pool plugin.

The plugin has a number of admin pages that are available to users with the ‘manage_football_pool’ capability. The plugin creates a new role with that capability as well as providing it to Editor and Administrator-level users (in the file /classes/class-football-pool.php):

44
45
46
47
48
49
50
51
52
53
54
add_role( 'football_pool_admin', 'Football Pool Admin', 
			array(
				'read' => true,
				'manage_football_pool' => true,
			)
);
 
$role = get_role( 'administrator' );
if ( ! is_null( $role ) ) $role->add_cap( 'manage_football_pool' );
$role = get_role( 'editor' );
if ( ! is_null( $role ) ) $role->add_cap( 'manage_football_pool' );

Through the Matches admin page the plugin provides a upload capability intended to upload CSV files.

When the upload occurs a valid nonce is checked before the function that handles that runs, which prevents cross-site request forgery (CSRF) (in the file /admin/class-football-pool-admin-games.php):

51
52
check_admin_referer( FOOTBALLPOOL_NONCE_ADMIN );
$uploaded_file = self::upload_csv();

As of version 2.6.3, the function didn’t include any restriction on what type of files can be uploaded:

89
90
91
92
93
private static function upload_csv() {
	$err = false;
	if ( is_uploaded_file( $_FILES['csv_file']['tmp_name'] ) ) {
		$new_file = FOOTBALLPOOL_CSV_UPLOAD_DIR . $_FILES['csv_file']['name'];
		if ( move_uploaded_file( $_FILES['csv_file']['tmp_name'], $new_file ) === false ) {

Earlier today we notified the developer of the plugin of the vulnerability and they promptly released a new version, 2.6.4, which limits what can be uploaded to only files with .csv and .txt extensions:

89
90
91
92
93
94
95
96
private static function upload_csv() {
	$err = false;
	$msg = '';
	if ( is_uploaded_file( $_FILES['csv_file']['tmp_name'] ) ) {
		$new_file = FOOTBALLPOOL_CSV_UPLOAD_DIR . $_FILES['csv_file']['name'];
		$extension = pathinfo( $new_file, PATHINFO_EXTENSION );
		if ( in_array( $extension, array( 'csv', 'txt' ) ) ) {
			if ( move_uploaded_file( $_FILES['csv_file']['tmp_name'], $new_file ) === false ) {

Proof of Concept

  1. Log in WordPress as a user with the role Football Pool Admin.
  2. Visit the Matches page of the plugin, /wp-admin/admin.php?page=footballpool-games.
  3. Click the “Bulk change game schedule” button in the top right of the page.
  4. In the “Upload new game schedule” section of the page, chose a file and click the “Upload CSV” button.
  5. The file will be uploaded to the directory /wp-content/uploads/football-pool/schedules/.

Timeline

  • September 13, 2017 – Developer notified.
  • September 13, 2017 – Developer responds.
  • September 13, 2017 – Version 2.6.4 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *