Login
19 Oct 2017

Arbitrary File Viewing Vulnerability in Candidate Application Form

Recently in our monitoring of the WordPress Support Forum we ran across a thread about claiming a vulnerability being exploited in a plugin Candidate Application. The vulnerability being referred to there was actually in another plugin. The slug of the plugin being discussed is wp-candidate-application-form and the vulnerability was for a plugin with the slug candidate-application-form. The vulnerability mentioned in thread was disclosed in July of 2015. The author of both of the plugins is the same and it looks like after the first plugin was removed they simply moved to the new one. That seems like something that the Plugin Directory should have noticed at the time the second one was submitted for the Plugin Directory.

Looking at the code of the new plugin we found that it has the same type of vulnerability as the first one, though the code has been changed.

In the new plugin, during init the plugin will run the function DownloadAttachment() (in the file /apply_form.php):

1458

add_action('init', array($this, 'DownloadAttachment'));

That function then will call the function downloadUrlToFile() if the GET or POST input “download-attachment” exists:

437
438
439
440
441
442
443
444

function DownloadAttachment()
{
	if (isset($_REQUEST['download-attachment'])) {
		$dir = FILE_UPLOAD_DIR;
		$file = sanitize_text_field($_REQUEST['file']);
		$this->downloadUrlToFile($dir, $file);
	}
}

In the function downloadUrlToFile() there is code that will output the contents of a file in various ways. The file being to be output is based on combining the value of the $dir and $file variables from the DownloadAttachment() function. The value of $dir would be based on the upload directory of the plugin, /wp-content/uploads/candidate_application_form/. The $file value is based on the value of the GET or POST input “file”. There is no restriction on directory traversal, so that code can be used to view the contents of file outside of the upload directory of the plugin.

We contacted the developer a week ago, but haven’t heard anything back from them and the plugin hasn’t been updated. The plugin was last updated 22 months ago, so it doesn’t seem to be being supported anymore. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

The following proof of concept will display the contents of the WordPress configuration file, wp-config.php.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/?download-attachment=test&file=../../../wp-config.php

Timeline

  • October 12, 2017 – Developer Notified

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.