[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4FE2811E.8030209@security-assessment.com>
Date: Thu, 21 Jun 2012 14:04:14 +1200
From: Denis Andzakovic <denis.andzakovic@...urity-assessment.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: WordPress Authenticated File Upload Authorisation
Bypass
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
WordPress - File Upload Authorisation Bypass
Affected versions: WordPress <= 3.3.2 (http://www.wordpress.org)
PDF:
http://security-assessment.com/files/documents/advisory/Wordpress%20Arbitrary%20File%20Upload%20Advisory.pdf
+-----------+
|Description|
+-----------+
Security-Assessment.com has discovered that the plugin upload function
within the WordPress administrative interface is vulnerable to an
un-validated file upload attack. Whilst the media upload functionality
successfully validates the uploaded file and rejects those not
matching the correct extension, the plugin upload functionality does
not. This allows an authenticated WordPress administrative user to
upload arbitrary files, including a malicious PHP script, into the
Wordpress web-root.
If a WordPress plugin has previously been installed, WordPress will
use saved SFTP credentials as part of the upload process. If the
credentials have changed or a plugin has not previously been
installed, the application prompts the user for credentials.
Regardless of installation status and prior to the user being prompted
for SFTP credentials, the file is uploaded into the
"/wp-content/uploads/" directory.
+------------+
|Exploitation|
+------------+
Exploitation of this vulnerability requires a malicious user with
access to the admin panel to use the
"/wp-admin/plugin-install.php?tab=upload" page to upload a malicious
file. Upon clicking upload, the page displays an "installing plugin"
message that loops indefinitely. At this point, the malicious user
can simply browse to
"http://<vulnerablesite>/wp-content/uploads/<year>/<month>/<uploadedfile>".
A PHP shell can be uploaded in this manner in order to gain arbitrary
remote command execution.
+------------+
| Workaround |
+------------+
Modify the web server configuration to disable the execution of PHP within
the uploads directory.
Apache Examples:
In the VirtualHost directive, at the following:
<Directory /full/path/to/uploads/directory>
php_flag engine off
</Directory>
+------+
|Credit|
+------+
Discovered and advised to WordPress in
June 2012 by Denis Andzakovic of
Security-Assessment.com.
+-------------------+
|Disclosure Timeline|
+-------------------+
31-05-2012 Initial vulnerability report sent to WordPress Security Team
07-06-2012 Follow up email sent to WordPress Security Team
08-06-2012 Emails between SA and WordPress Security Team. WST asserts
that this is not a vulnerability and that "we just have to trust that the
administrator isn't uploading malicious PHP"
21-06-2012 Release of this advisory
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
Security-Assessment.com is currently looking for skilled penetration
testers. If you are interested, please email 'hr at security-assessment.com'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP4oEdAAoJED9OsznShNuRLFQH/2JDz/gO85Qdo7Su/cuJoVyq
65mG0uqt4BiBwmtOJrZMFOEMH5UrFrUlvENfjSveXSAmry35kNnMjYRyTQvYd0Qj
2qI5nJU8vpyn/OO4D/NRSCs1wgNaNnVxs9nbRBTcTewFu5KhCVDvErfsCsJlOOpM
EskKmV+vn/KMQx5wTrEMUg9IGP11dCcJAHFFUx8Avalkhb8QWEgWkpEv36D8grL7
gu++XJMsAnjkVycFLbEfza3pQV+sIBjRmUyu5NYVfIE9swNbk20RmLQ48Dxlw/fL
bMUHx+U/ZidBAcRzfBzcD3vT8ZS/Bv6VuIaU3b+XDK4h71EYEpeMO6QlyCr6bJA=
=xRx3
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists