Yesterday we detailed an arbitrary file upload vulnerability we had noticed had previously been in the plugin LearnPress through a check being run over changes being made to WordPress plugins as part of our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities to see if that check might be something that we could add to our Plugin Security Checker, which is a tool that allows anyone to see if there are possible security issues in plugins that could use further investigation. After finding that it identified that issue in LearnPress we added the check to the Plugin Security Checker and then ran the plugin through to make sure the check was properly implemented. When we did that we found that the tool was flagging a number of other possible issues. We happened to take a look at one of the issues and find that the plugin allows writing arbitrary content to a file, which could be, say, combined with a local file inclusion (LFI) vulnerability to cause malicious code to run.
This vulnerability is yet another good example of where our Plugin Security Checker and someone knowledgeable of security reviewing its results can come in handy, as that vulnerability has existed in the plugin since the first version, which was released three and half years ago. If you are a paying customer of our service you can suggest/vote for plugins to receive a security review that includes checking over any issue identified by the tool or you can order the same type of review separately that will also included reviewing the results of the tool.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
The Plugin Security Checker flagged the following line in the file /inc/gateways/paypal/paypal-ipn/ipn.php:
print_r( $_REQUEST );
While it was flagged as possibly leading to reflected cross-site scripting (XSS) as the code would output user input, the lines around it instead cause the user input to be saved a file at /wp-content/plugins/learnpress/inc/gateways/paypal/paypal-ipn/ipn.txt on websites using the plugin:
32 33 34
ob_start(); print_r( $_REQUEST ); file_put_contents( 'ipn.txt', ob_get_clean() );
It looks like the intended usage of this might be to record PayPal Instant Payment Notification (IPN) messages, which shouldn’t be stored in that location for at least a couple of reasons.
Proof of Concept
The following proof will cause the PHP code “<?php echo ‘test’; ?> ” to be written to the file at /wp-content/plugins/learnpress/inc/gateways/paypal/paypal-ipn/ipn.txt, which when included will run.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-content/plugins/learnpress/inc/gateways/paypal/paypal-ipn/ipn.php?test=<?php echo 'test'; ?>