-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
( , ) (, . `.' ) ('. ', ). , ('. ( ) ( (_,) .`), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _='`"``=. presents.. WordPress - File Upload Authorisation Bypass Affected versions: WordPress <= 3.3.2 (http://www.wordpress.org) PDF: http://security-assessment.com/files/documents/advisory/Wordpress%20Arbitrary%20File%20Upload%20Advisory.pdf +-----------+ |Description| +-----------+ Security-Assessment.com has discovered that the plugin upload function within the WordPress administrative interface is vulnerable to an un-validated file upload attack. Whilst the media upload functionality successfully validates the uploaded file and rejects those not matching the correct extension, the plugin upload functionality does not. This allows an authenticated WordPress administrative user to upload arbitrary files, including a malicious PHP script, into the Wordpress web-root. If a WordPress plugin has previously been installed, WordPress will use saved SFTP credentials as part of the upload process. If the credentials have changed or a plugin has not previously been installed, the application prompts the user for credentials. Regardless of installation status and prior to the user being prompted for SFTP credentials, the file is uploaded into the "/wp-content/uploads/" directory. +------------+ |Exploitation| +------------+ Exploitation of this vulnerability requires a malicious user with access to the admin panel to use the "/wp-admin/plugin-install.php?tab=upload" page to upload a malicious file. Upon clicking upload, the page displays an "installing plugin" message that loops indefinitely. At this point, the malicious user can simply browse to "http://<vulnerablesite>/wp-content/uploads/<year>/<month>/<uploadedfile>". A PHP shell can be uploaded in this manner in order to gain arbitrary remote command execution. +------------+ | Workaround | +------------+ Modify the web server configuration to disable the execution of PHP within the uploads directory. Apache Examples: In the VirtualHost directive, at the following: <Directory /full/path/to/uploads/directory> php_flag engine off </Directory> +------+ |Credit| +------+ Discovered and advised to WordPress in June 2012 by Denis Andzakovic of Security-Assessment.com. +-------------------+ |Disclosure Timeline| +-------------------+ 31-05-2012 Initial vulnerability report sent to WordPress Security Team 07-06-2012 Follow up email sent to WordPress Security Team 08-06-2012 Emails between SA and WordPress Security Team. WST asserts that this is not a vulnerability and that "we just have to trust that the administrator isn't uploading malicious PHP" 21-06-2012 Release of this advisory +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Security-Assessment.com is currently looking for skilled penetration testers. If you are interested, please email 'hr at security-assessment.com' -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP4oEdAAoJED9OsznShNuRLFQH/2JDz/gO85Qdo7Su/cuJoVyq 65mG0uqt4BiBwmtOJrZMFOEMH5UrFrUlvENfjSveXSAmry35kNnMjYRyTQvYd0Qj 2qI5nJU8vpyn/OO4D/NRSCs1wgNaNnVxs9nbRBTcTewFu5KhCVDvErfsCsJlOOpM EskKmV+vn/KMQx5wTrEMUg9IGP11dCcJAHFFUx8Avalkhb8QWEgWkpEv36D8grL7 gu++XJMsAnjkVycFLbEfza3pQV+sIBjRmUyu5NYVfIE9swNbk20RmLQ48Dxlw/fL bMUHx+U/ZidBAcRzfBzcD3vT8ZS/Bv6VuIaU3b+XDK4h71EYEpeMO6QlyCr6bJA= =xRx3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/