Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Arbitrary File Upload

25 Aug 2017

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Participants Database

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are arbitrary file upload vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across a cross-site request forgery(CSRF)/arbitrary file upload vulnerability in the plugin Participants Database.

The plugin’s “Import CSV File” admin page, which is accessible to Administrators, is generated by the file /upload_csv.php. At the beginning of the file it checks that file is not being loaded directly and that the person accessing it has the proper permission to access it. It then creates a new instance of the class PDb_CSV_Import: [Read more]

26 Jun 2017

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Newsletters

We recently have been trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. Seeing as arbitrary file upload vulnerabilities are at the top in terms of exploits that seems like one area where it might make sense to focus on, while looking over just several days worth of plugin changes we ran across a related, though much less concerning vulnerability. That being a cross-site request forgery (CSRF)/arbitrary file upload vulnerability in the plugin Newsletters, which would be unlikely to be targeted on a wide scale, but might be used in a targeted attack.

The vulnerability is caused by two security failures. [Read more]

21 Apr 2017

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in TheCartPress

In February we saw what looked like it might be a hacker probing for usage of the plugin TheCartPress. While we already had a vulnerability in our data that could have been what a hacker might be targeting, we started looking for any other vulnerabilities in the current version that might be of interest of a hacker. While doing that we found a cross-site request forgery (CSRF)/arbitrary file upload vulnerability, which could allow an attacker to cause a logged in Administrator to upload a file to the website. The file is placed in a directory that is restricted from access through a .htaccess file, so the file would only be accessible on servers that don’t use those file (several of which are supported for use with WordPress) or using a local file inclusion (LFI) vulnerability. The combination of the type of vulnerability and that restriction make it unlikely that this vulnerability would be exploited.

The vulnerability exists in the file /admin/UploadFiles.php, which is made accessible to Administrators through the following line in the /TheCartPress.class.php: [Read more]

13 Mar 2017

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Really Simple Gallery

While looking in to a report of a reflected cross-site scripting vulnerability in the plugin Really Simple Gallery we noticed that there is also cross-site request forgery (CSRF)/arbitrary file upload vulnerability in it.

When uploading a file through the plugin’s settings page there is no check for a valid nonce to protect against CSRF, as seen in the file /reallysimplegallery.php starting on line 90: [Read more]

14 Sep 2016

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in CYSTEME Finder

Certain types of plugins are inherently more of a security concern because their intended functionality involves actions that hackers frequently attempt to exploit, so if something is wrong with their security it is likely the plugin will be exploited. That doesn’t mean that people developing them are going to be very careful in coding them or that the public using them is going to do any checking, as can be seen with the plugin CYSTEME Finder. The plugin, which has 7,000+ active installs according to wordpress.org, provides a file manger in WordPress, which allows uploading files and viewing the content of files. We see vulnerabilities in those two types of functionality frequently targeted by hackers, with vulnerabilities in upload functionality much more likely to successfully exploited and leading to a website being hacked.

Recently someone under the handle T0w3ntum looked at the plugin and found that it contained arbitrary file upload and arbitrary file viewing vulnerabilities, as of version 1.3. The vulnerabilities existed due to the plugin not making properly restricting access to the upload and file viewing functionality. In looking over the changes made to fix those in version 1.4, we were troubled by the odd choice of security code and found an additional vulnerability. In the changelog entry for 1.4 sates that the was a security fix involving “use of PHP session rather than REQUEST vars”. That didn’t sound like the type of change we would expect to fix this type of vulnerability in a WordPress plugin. Looking at the changes made it didn’t change our view. Instead of checking that requests to the plugin are made by someone who should be able to, by using WordPress functions, they are checking a PHP session. While it looks to have fix the vulnerabilities, not using the WordPress functionality specifically designed for this, would make of us wary of using such a plugin. [Read more]

21 Jun 2016

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Remote Upload

For our data set of vulnerabilities we don’t just add any claimed vulnerability, instead we test out each vulnerability before adding it. That requires a lot more time, but it produces much better data for our customers as we find that many vulnerability reports are false, others have incorrect information (including claims that a vulnerability has been fixed when it hasn’t), and we can tell them which versions are vulnerable.

In some cases we find that vulnerability report is false but actually point to real related issue. One such case we just ran into involved a claim that the plugin Remote Upload had an arbitrary file upload vulnerability in version 1.2.1 and below. The problem with this report is that file upload capability of the plugin is limited to Administrator level users and it isn’t really a vulnerability for them to upload arbitrary files based on the capabilities they are granted. [Read more]

31 May 2016

Authenticated Arbitrary File Upload Vulnerability in Magic Fields

In our previous post about an old arbitrary file upload vulnerability in Magic Fields, we mentioned from reviewing that, that we then noticed that another vulnerability existed.

To recap, in version 1.5.6 of Magic Fields code was added to the file/RCCWP_upload_ajax.php that checked if you were logged in and able at least edit posts, which is capability available to Contributor level users and above, before allowing arbitrary files to be uploaded through the file: [Read more]

12 May 2016

Authenticated Arbitrary File Upload Vulnerability in WP Editor

To stay on top of vulnerabilities in WordPress plugin for you, we monitor a number of different sources. One of them is hacking attempts on our websites, which mostly identifies fairly old vulnerabilities that we haven’t yet included in our data. In the case of a one vulnerability from back in 2012 we discovered that the vulnerability had never been fixed and was still in the Plugin Directory. Yesterday that monitoring lead us to seeing evidence that the WP Editor plugin is being exploited and finding a couple of serious vulnerabilities that could be what they are exploiting.

We have started seeing requests for the file /wp-content/plugins/wp-editor/js/wpeditor.js, which based on the files being requested alongside it, looks like the request are to check to see if the plugin is in use and if so then the hacker would likely try to exploit it. Since we don’t have the plugin installed the exploitation attempt didn’t happen, so we don’t know what they are trying to exploit. So then after looking for any public reports of vulnerabilities in the plugin we starting to reviewing the plugin and quickly found a couple of serious security vulnerabilities in the current version of the plugin 1.2.5.3. [Read more]