Wordfence Security Fails To Protect Against Exploitation of Vulnerability Through PHP Input Stream
On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was released. That is a type of vulnerability that is highly likely to be exploited. As part of reviewing that to see if there was indeed a vulnerability that we should add to the data set for our service, we found a notable element of the underlying code that caused that. There were two ways that the file being uploaded could be sent with the request. With only one of them did we have protection against common exploitation with our then upcoming WordPress firewall plugin, Plugin Vulnerabilities Firewall. We then updated our plugin to protect against that, it turns out that the Wordfence Security plugin hasn’t been.
The vulnerable code in the plugin is in the function p3dlite_handle_upload(), which was made accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged in:
25 26 | add_action( 'wp_ajax_p3dlite_handle_upload', 'p3dlite_handle_upload' ); add_action( 'wp_ajax_nopriv_p3dlite_handle_upload', 'p3dlite_handle_upload' ); |
In that function, which is located in the file /includes/3dprint-lite-functions.php, when reading the file being uploaded, the code will first look for a HTTP file upload, $_FILE, and if that doesn’t exist, it reads the PHP input stream:
1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 | // Open temp file if ( !$out = @fopen( "{$filePath}.part", $chunks ? "ab" : "wb" ) ) { die( '{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "'.__( 'Failed to open output stream.', '3dprint-lite' ).'"}, "id" : "id"}' ); } if ( !empty( $_FILES ) ) { if ( $_FILES["file"]["error"] || !is_uploaded_file( $_FILES["file"]["tmp_name"] ) ) { die( '{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "'.__( 'Failed to move uploaded file. Error code: '.$_FILES["file"]["error"], '3dprint-lite' ).'"}, "id" : "id"}' ); } // Read binary input stream and append it to temp file if ( !$in = @fopen( $_FILES["file"]["tmp_name"], "rb" ) ) { die( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "'.__( 'Failed to open input stream.', '3dprint-lite' ).'"}, "id" : "id"}' ); } } else { if ( !$in = @fopen( "php://input", "rb" ) ) { die( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "'.__( 'Failed to open input stream.', '3dprint-lite' ).'"}, "id" : "id"}' ); } } |
Once we noticed that, we realized we had work to do with our firewall plugin, as we didn’t have any capability to check for files being sent through the PHP input stream.
While looking into that, we found that this isn’t the only plugin that permits handling uploads that way.
When we address a form of protection lacking from our plugin, one thing we do is to check what protection, if any, other plugins provide against that. Looking at the Wordfence Security plugin at the time, we found that it didn’t provide protection against this when uploading a file containing PHP code, despite it providing protecting when using a HTTP file upload. It wasn’t alone in that at the time.
As Wordfence holds back new security rules for their firewall from those not using the paid Wordfence Premium service for 30 days, we wanted to check back once the 30 days had passed, to see if they had added general protection to address this type of situation or had at least provided a rule to protect against it with this particular vulnerability.
Now that it has been over 30 days, we could do that. The result was that the plugin still doesn’t provide any protection when sending the PHP file through the PHP input stream and no rule looks to have been added providing general protection or protection specially for this particular vulnerability. That hardly is in line with the claims their firewall stops websites from being hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
And how they market the Wordfence Premium service:
If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium.
Based on the less comprehensive testing for protection against this situation that is part of the automated testing we do of many security plugins, it would appear that only our plugin currently provides that type of protection, despite the developers of the other plugins having years of development to have addressed this.