Our Proactive Monitoring Caught a Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in wpShopGermany Free
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the cross-site request forgery (CSRF)/arbitrary file upload vulnerability we found in the plugin wpShopGermany Free. This vulnerability could have allowed an attacker that could get a logged in Administrator to visit a URL the attacker controls, to unintentionally upload arbitrary files.
Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).
The vulnerability occurred in the function widerrufsbelehrungAction() in the file /controller/wpsg_AdminController.class.php. That function runs when accessing the page /wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung, which is accessible to Administrator-lever users. When that function was run as of version 4.0.10, if the GET or POST input “submit” existed and file attached to an input named “wpsg_widerrufsformular” existed then the file would have been saved to the directory /wp-content/uploads/wpsg/wpsg_revocation/:
1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 | public function widerrufsbelehrungAction() { if (isset($_REQUEST['submit'])) { $this->shop->update_option('wpsg_ps_mailwiderruf', $_REQUEST['wpsg_ps_mailwiderruf']); $this->shop->addTranslationString('wpsg_ps_mailwiderruf', $_REQUEST['wpsg_ps_mailwiderruf']); if (file_exists($_FILES['wpsg_widerrufsformular']['tmp_name'])) { if (!file_exists(WPSG_PATH_UPLOADS.'wpsg_revocation/')) mkdir(WPSG_PATH_UPLOADS.'wpsg_revocation/', 0775, true); $this->clearRevocationForm(); move_uploaded_file($_FILES['wpsg_widerrufsformular']['tmp_name'], WPSG_PATH_UPLOADS.'wpsg_revocation/'.$_FILES['wpsg_widerrufsformular']['name']); |
There was no check for a valid nonce, which would prevent cross-site request forgery (CSRF) from occurring. There also was no restriction on what types of files can be uploaded.
After we notified the developer they released version 4.0.11, which fixes the vulnerability by checking for a valid nonce before allowing files:
1731 1732 1733 1734 1735 1736 1737 | public function widerrufsbelehrungAction() { if (isset($_REQUEST['submit'])) { \check_admin_referer('wpsg-save-revocation'); |
A check of the mime type of the file being uploaded was also added.
There are other locations in the plugin without proper protection against CSRF and the developer said that those would be fixed in the next 4 weeks.
Proof of Concept
The following proof of concept will upload the selected file to the directory/wp-content/uploads/wpsg/wpsg_revocation/, when logged in to WordPress as Administrator.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung&noheader=1" method="POST" enctype="multipart/form-data"> <input type="file" name="wpsg_widerrufsformular" /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html>
Timeline
- June 25, 2018 – Developer notified.
- June 26, 2018 – Developer responds.
- June 29, 2018 – Version 4.0.11 released, which fixes vulnerability.