Basic Contact Form <= 1.0.3 - Potential Unauthenticated Shell Upload

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Uploading attachments in the contact form allows to run any kind of PHP code depending on the server config.

The issue is related to this (https://www.exploit-db.com/exploits/10089/) one. Explanation there will help to understand the problem.

Following code is part of the function bcf_basic_contact_form_a().

functions.php:81

	$filetype = wp_check_filetype($temp);


functions.php:86-114

	if (($filetype['type'] == 'application/msword') 
		||  ($filetype['type'] == 'text/plain') 
		|| ($filetype['type'] == 'application/pdf') 
		||($filetype ['type'] == 'application/vnd.msword') 
		||($filetype ['type'] == 'application/vnd.ms-word') 
		||($filetype ['type'] == 'application/word') 
		||($filetype ['type'] == 'application/vnd.openxmlformats-officedocument.wordprocessingml.document') 
		||($filetype ['type'] == 'application/rtf') 
		||($filetype ['type'] == 'image/jpeg') 
		||($filetype ['type']== 'image/gif')
		||($filetype ['type']== 'image/png') 
		||($filetype ['type']== 'image/jpg'))
		{
	  		if (sanitize_text_field($_FILES["file"]["error"] > 0))
				{
					$errorMessage .= "<li> Error:" . sanitize_text_field($_FILES["file"]["error"]) ."</li>";	
				}
			else
				{
					$uploads_url = wp_upload_dir() ;
					$upload_dir = $uploads_url['basedir'];
					$upload_dir2 = $upload_dir . '/bcf_uploads/';
						if (! is_dir($upload_dir2)) {wp_mkdir_p( $upload_dir2);}
							$uploads_url = $upload_dir2;
							move_uploaded_file(sanitize_text_field($_FILES["file"]["tmp_name"]), $uploads_url . sanitize_text_field ($_POST['firstname']) . '.'.sanitize_text_field ($_POST['surname']) .'_' . sanitize_text_field($_FILES["file"]["name"]));
						}
				}
[...]



The wall of code above contains the main problem. If you create a file named malicious.php.jpg, wp_check_filetype seems to just take a look at the final ending, which will indicate a picture.

Next problem is, that the plugin has a consistent naming convention for the uploaded files ($uploads_url . sanitize_text_field ($_POST['firstname']) . '.'.sanitize_text_field ($_POST['surname']) .'_' . sanitize_text_field($_FILES["file"]["name"]), so an attacker can easily find the uploaded file online and any other extension will be still there.

apache docs on multiple extensions (https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext):

"Files can have more than one extension; the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. If more than one extension is given that maps onto the same type of metadata, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the media-type image/gif and .html maps to the media-type text/html, then the file welcome.gif.html will be associated with the media-type text/html.

Care should be taken when a file with multiple extensions gets associated with both a media-type and a handler. This will usually result in the request being handled by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imagemap) and the .html extension is mapped to the media-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html media-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imagemap imagemap file."

So if the wordpress site has something like AddHandler application/x-httpd-php .php in their .htaccess for example, the server will run the code in the uploaded malicious.php.jpg.

Other vulnerabilities submitted to wpvulndb: https://wpvulndb.com/search?utf8=%E2%9C%93&text=Paul+Dannewitz

Affects Plugin

References

EXPLOITDB 10089

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Paul Dannewitz
Submitter Twitter padannewitz
Views 164
Verified No
WPVDB ID 8916

Timeline

Publicly Published 2017-09-23 (about 2 months ago)
Added 2017-09-28 (about 2 months ago)
Last Updated 2017-09-28 (about 2 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.