W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary File Upload



Description
When you're creating a support ticket in the plugin page, you can add one or more of your files from your computer.

Then this file will be send to the author to help him resolving the issue.

When we look at the code, W3TC is doing that:
**********
        /**
         * Attach other files
         */
        if (!empty($_FILES['files'])) {
            $files = (array)$_FILES['files'];
            for ($i = 0, $l = count($files); $i < $l; $i++) {
                if (isset($files['tmp_name'][$i]) && isset($files['name'][$i]) && isset($files['error'][$i]) && $files['error'][$i] == UPLOAD_ERR_OK) {
                    $path = W3TC_CACHE_TMP_DIR . '/' . $files['name'][$i];
                    if (@move_uploaded_file($files['tmp_name'][$i], $path)) {
                        $attachments[] = $path;
                    }
                }
            }
        }
**********
and
**********
        /**
         * Remove temporary files
         */
        foreach ($attachments as $attachment) {
            if (strstr($attachment, W3TC_CACHE_TMP_DIR) !== false) {
                @unlink($attachment);
            }
**********

Ok, so, when you submit the form as an administrator, W3TC uploads our file in its temporary folder /wp-content/cache/tmp/ then will delete them right after that, the file will live only a few milliseconds.

But what if I try to send 2 files, the first one is a 2 Kb malicious PHP file containing a backdoor, the second one is a 20 Mb file. The submission will last more longer, the first file won't be deleted since the second one is not uploaded, I can now access to the first file.

An administrator is not always allowed to execute custom PHP code, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.

Affects Plugin

fixed in version 0.9.5

References

URL https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 5802
Verified No
WPVDB ID 8627

Timeline

Publicly Published 2016-09-26 (about 3 years ago)
Added 2016-09-26 (about 3 years ago)
Last Updated 2019-11-01 (13 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin