In the following example, I’m setting the width and height to 100 pixels (0x0064) because, by default, User Submitted Posts will not accept values higher than 1500×1500 pixels: Therefore we can bypass that function by forging a fake 11-byte GIF image. It will check the following two bytes (image width), the next two ones (image height) and then the next byte (Global Color Table flags) and will stop. When entering this routine, PHP has already checked the first three bytes (GIF) and will skip the next three ones (one byte from the SignatureHi, a word from the SignatureLo). Result->width = (unsigned int)dim | (((unsigned int)dim)height = (unsigned int)dim | (((unsigned int)dim)bits = dim&0x80 ? ((((unsigned int)dim)&0x07) + 1) : 0 Result = (struct gfxinfo *) ecalloc(1, sizeof(struct gfxinfo)) If (php_stream_read(stream, (char*)dim, sizeof(dim)) != sizeof(dim)) If (php_stream_seek(stream, 3, SEEK_CUR)) Static struct gfxinfo *php_handle_gif (php_stream * stream) When uploading a file, the plugin will perform various checks in the usp_check_images() function located in the user-submitted-posts.php script in order to verify if the file is an image: check its type, its size etc: for ($i = 0 $i 0) */ To sanitize the file name, developers can use the WordPress sanitize_file_name() function that will turn into script.php_.gif. We already have seen similar issues, for instance last year with the zero-day vulnerability in the WordPress LearnDash LMS plugin. Note that such trick won’t work on a server running PHP-FPM. On a server using Apache with PHP FastCGI, the file will be forwarded to and executed by the PHP interpreter. One very simple way to bypass that is to use a double extension such as. There was a vulnerability in the previous versions of the plugin that allowed an unauthenticated user to upload a PHP script by using its “Image Uploads” feature, which was supposed to allow image files only.īut I was skeptical about the fact that the new code, which was just checking for a *.php extension, was enough to solve the issue. It looked like a security issue was reported by someone and fixed by the author in the new version 20190426: While securing a customer’s WordPress blog, I noticed that there were a few pending updates available and, among them, one for the User Submitted Posts plugin. The WordPress User Submitted Posts plugin, which has 30,000+ active installations, was prone to an arbitrary file upload vulnerability in version 20190426 and below that could allow an unauthenticated user to upload and run a PHP script.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |