Home » wordpress » Page 7

Tag: wordpress

EDD Upload File 1.0.3 Security Vulnerability

by James Golovich

The premium extension EDD Upload File for Easy Digital Downloads has a major security vulnerability in version 1.0.3 that was fixed in version 1.0.4. I’m not sure how many active installs there are of this plugin. If you are running version 1.0.3, upgrade immediately. This version allows someone to delete files, upload files, and potentially execute PHP code via those uploaded files.

As I’ve discussed previously, Easy Digital Downloads allows any WordPress action/filter that begins with ‘edd_’ to be called remotely and each function is supposed to do the authorization.

This gives us the opportunity to do two evil things in the EDD Upload File code.

Delete any file

eddupload-delete

By calling GET ‘edd_action=upload_file_delete’ we get into this chunk of code and you can pass a ‘delete-file’ to specify a file to delete. The user running the PHP code would need appropriate permissions on the file in order to delete. The directory base is get_temp_dir() but you can use directory traversal to get out of there.

Upload arbitrary files

eddupload-uploadWith the ‘edd_payment_receipt_before’ action we are able to upload arbitrary files. If the administrator setup extensions to allow then it would restrict files to be uploaded, but by default there isn’t any setup.

The files are renamed with a unique filename, presumably to eliminate conflicting filenames but also for a bit of security. Unfortunately, it uses uniqid() which isn’t very secure especially if we know the time the upload happens (or close enough).

Guessing the filename uploaded with uniqid() would be pretty easy, but in this version you don’t even have to do that because of another bug.

eddupload-createdir

The code always checks to make sure the upload directory exists and if not it creates it as well as inserting a ‘index.php’ and ‘.htaccess’ to try to keep the webserver from listing the directory contents. Unfortunately in this case it is missing a ‘/’ so the index.php created would be something like ‘wp-content/uploads/edd-upload-filesindex.php’.

As I always recommend it is wise to keep your webserver from allowing directory listings in these directories as well as executing php/cgi from the uploads directory. In a default configuration it is trivial for someone to upload arbitrary php files and execute them remotely without any authorization.

Timeline

  • 2/26/2015 1:12am Initial disclosure
  • 2/26/2015 1:39am Developer response
  • 3/17/2015 Updated version released

Gantry Web Theme Framework 4.1.3 Vulnerability

by James Golovich

I noticed a minor potential security vulnerability in the Gantry Web Theme Framework for WordPress. This allows arbitrary code to be executed remotely, fortunately it requires a WordPress account (does not have to be admin) and also requires some crafty building of JSON text to pass through.

gantry-code

By POSTing an AJAX request with action=gantry_admin&gantry_action=widgets-mass-actions you can get into this chunk of code.

It took some really complicated building of the $_POST[‘data’] JSON to get all of the quotes balanced, but it is possible to get that code executed by eval().

All of the other AJAX functions appear to check a nonce and current_user_can() so they are secure, this function initially pushed this authorization into the gantry_widgets_save() function which would get called after the JSON is decoded.

The lesson here is to always do your authorization as early as possible.

Timeline

  • 3/4/2015 Sent request via web form with details
  • 3/5/2015 2:26am Response received saying details forwarded to development team
  • 3/10/2015 Updated version released

All-in-One WP Migration 2.0.4 Security Vulnerability

by James Golovich

There is a serious security vulnerability in All-in-One WP Migration version 2.0.4. Update immediately. This vulnerability can allow users without any authentication to export a copy of your database, plugins, themes, and uploaded files.

My story

It wasn’t supposed to happen like this. I was setting up a couple of test servers for a project I’m working on and I wanted to be able to backup and move the data around easily. Why not try out one of the tools designed to do this rather than roll my own?

I found All-in-One WP Migration, with 40,000+ installs it should be solid. Of course, I couldn’t just install it and use it as is. I had to pull back the curtain and take a peek.

At first, I saw our familiar friend AJAX without proper protection, but the import call actually checked permission. The other exposed AJAX calls couldn’t really do anything useful/threatening.

Then I noticed this little gem:

controller

Could be benign as long as it’s called from some place that has some form of authorization. Unfortunately it is called from the ‘init’ action.

allinone-router

Luckily the import function is protected so you can’t make any changes, but there is plenty of fun stuff that can be exported.

allinone-cap

Just having access to the database should be enough to panic any site administrator, but having all of the uploads, themes, and plugins bundled up in a zip file is terrifying.

I will not distribute a PoC for this. Please upgrade your sites immediately!

Vendor Response

ServMask was very quick to respond and was planning on releasing an update asap. I suggested they contact plugins@wordpress.org and see if there is the possibility to have the plugin force updated like the Yoast WordPress SEO plugin update was last week.

Timeline

  • 3/12/2015 2:40pm Vendor contacted
  • 3/12/2015 2:47pm Vendor response
  • 3/14/2015 Update released on wordpress.org