lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 21 Jun 2012 14:04:14 +1200
From: Denis Andzakovic <denis.andzakovic@...urity-assessment.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: WordPress Authenticated File Upload Authorisation
	Bypass


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


(    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _='`"``=.

                presents..


WordPress - File Upload Authorisation Bypass
Affected versions: WordPress <= 3.3.2 (http://www.wordpress.org)

PDF:
http://security-assessment.com/files/documents/advisory/Wordpress%20Arbitrary%20File%20Upload%20Advisory.pdf


+-----------+
|Description|
+-----------+

Security-Assessment.com has discovered that the plugin upload function
within the WordPress administrative interface is vulnerable to an
un-validated file upload attack. Whilst the media upload functionality
successfully validates the uploaded file and rejects those not
matching the correct extension, the plugin upload functionality does
not. This allows an authenticated WordPress administrative user to
upload arbitrary files, including a malicious PHP script, into the
Wordpress web-root.
If a WordPress plugin has previously been installed, WordPress will
use saved SFTP credentials as part of the upload process. If the
credentials have changed or a plugin has not previously been
installed, the application prompts the user for credentials.
Regardless of installation status and prior to the user being prompted
for SFTP credentials, the file is uploaded into the
"/wp-content/uploads/" directory.


+------------+
|Exploitation|
+------------+

Exploitation of this vulnerability requires a malicious user with
access to the admin panel to use the
"/wp-admin/plugin-install.php?tab=upload" page to upload a malicious
file. Upon clicking upload, the page displays an "installing plugin"
message that loops indefinitely.  At this point, the malicious user
can simply browse to
"http://<vulnerablesite>/wp-content/uploads/<year>/<month>/<uploadedfile>".
A PHP shell can be uploaded in this manner in order to gain arbitrary
remote command execution.


+------------+
| Workaround |
+------------+

Modify the web server configuration to disable the execution of PHP within
the uploads directory.

Apache Examples:

In the VirtualHost directive, at the following:

    <Directory /full/path/to/uploads/directory>
        php_flag engine off
    </Directory>

+------+
|Credit|
+------+

Discovered and advised to WordPress in
June 2012 by Denis Andzakovic of
Security-Assessment.com.


+-------------------+
|Disclosure Timeline|
+-------------------+

31-05-2012  Initial vulnerability report sent to WordPress Security Team
07-06-2012  Follow up email sent to WordPress Security Team
08-06-2012  Emails between SA and WordPress Security Team. WST asserts
that this is not a vulnerability and that "we just have to trust that the
administrator isn't uploading malicious PHP"
21-06-2012  Release of this advisory


+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.

Security-Assessment.com is currently looking for skilled penetration
testers. If you are interested, please email 'hr at security-assessment.com'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP4oEdAAoJED9OsznShNuRLFQH/2JDz/gO85Qdo7Su/cuJoVyq
65mG0uqt4BiBwmtOJrZMFOEMH5UrFrUlvENfjSveXSAmry35kNnMjYRyTQvYd0Qj
2qI5nJU8vpyn/OO4D/NRSCs1wgNaNnVxs9nbRBTcTewFu5KhCVDvErfsCsJlOOpM
EskKmV+vn/KMQx5wTrEMUg9IGP11dCcJAHFFUx8Avalkhb8QWEgWkpEv36D8grL7
gu++XJMsAnjkVycFLbEfza3pQV+sIBjRmUyu5NYVfIE9swNbk20RmLQ48Dxlw/fL
bMUHx+U/ZidBAcRzfBzcD3vT8ZS/Bv6VuIaU3b+XDK4h71EYEpeMO6QlyCr6bJA=
=xRx3
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ