W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary File Upload

Sign up to our free email alerts service for instant vulnerability notifications!

Description
When you're creating a support ticket in the plugin page, you can add one or more of your files from your computer.

Then this file will be send to the author to help him resolving the issue.

When we look at the code, W3TC is doing that:
**********
        /**
         * Attach other files
         */
        if (!empty($_FILES['files'])) {
            $files = (array)$_FILES['files'];
            for ($i = 0, $l = count($files); $i < $l; $i++) {
                if (isset($files['tmp_name'][$i]) && isset($files['name'][$i]) && isset($files['error'][$i]) && $files['error'][$i] == UPLOAD_ERR_OK) {
                    $path = W3TC_CACHE_TMP_DIR . '/' . $files['name'][$i];
                    if (@move_uploaded_file($files['tmp_name'][$i], $path)) {
                        $attachments[] = $path;
                    }
                }
            }
        }
**********
and
**********
        /**
         * Remove temporary files
         */
        foreach ($attachments as $attachment) {
            if (strstr($attachment, W3TC_CACHE_TMP_DIR) !== false) {
                @unlink($attachment);
            }
**********

Ok, so, when you submit the form as an administrator, W3TC uploads our file in its temporary folder /wp-content/cache/tmp/ then will delete them right after that, the file will live only a few milliseconds.

But what if I try to send 2 files, the first one is a 2 Kb malicious PHP file containing a backdoor, the second one is a 20 Mb file. The submission will last more longer, the first file won't be deleted since the second one is not uploaded, I can now access to the first file.

An administrator is not always allowed to execute custom PHP code, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.

Affects

Plugin w3-total-cache
fixed in version 0.9.5

References

URL https://secupress.me/4-new-security-flaws-w3-total-cache-0-9-4-1/

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 628
Verified No
WPVDB ID 8627

Timeline

Publicly Published 2016-09-26 (2 months ago)
Added 2016-09-26 (2 months ago)
Last Updated 2016-09-27 (2 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.