0day vuln – Remote file upload in User Profiles Made Easy – WordPress Plugin

0day vuln – Remote file upload in User Profiles Made Easy – WordPress Plugin

January 15, 2014 5:31 am 1 comment

After finding out that UserPro is vulnerable client decided to choose another plugin, but it seems that other similar plugins are vulnerable too..

http://codecanyon.net/item/user-profiles-made-easy-wordpress-plugin/4109874

This one is a bit more secure, but still not enough (hehe..there are no such thing as “a lot of security”)

Will follow with details once vendor fixes the issue

The vulnerability is in
upme/classes/class-upme-save.php

foreach ($_FILES as $key => $array) {
	extract($array);
	if ($name) {
		// Security Check Start
		// Checking for Image size. If this is the real image (not tempered) then this function will return width and height and other values in return.
		$image_data = getimagesize($tmp_name);
		$clean_file = true;
		if (!isset($image_data[0]) || !isset($image_data[1]))
			$clean_file = false;
		// Security Check End
		$clean_key = str_replace('-' . $this->userid, '', $key);
		if (!in_array($type, $this->allowed_extensions)) {
			$this->errors[$clean_key] = __('The image file extention is not allowed!', 'upme');
		} elseif ($size > $this->max_size) {
			$this->errors[$clean_key] = __('The file you have selected exceeds the maximum allowed image size.', 'upme');
		} elseif ($clean_file == false) {
			$this->errors[$clean_key] = __('The file you selected appears to be corrupt or not a real image file.', 'upme');
		} else {
			// Checking for valid uploads folder
			if ($upload_dir = upme_get_uploads_folder_details()) {
				$target_path = $upload_dir['basedir'] . "/upme/";

				$base_name = sanitize_file_name(basename($name));
				$target_path = $target_path . time() . '_' . $base_name;
				$nice_url = $upload_dir['baseurl'] . "/upme/";
				$nice_url = $nice_url . time() . '_' . $base_name;
				move_uploaded_file($tmp_name, $target_path);
			}
		}
	}
}

this script doesn’t check for the image extension, just the mime-type supplied by the user

It is possible to change mime-type manually and upload an image with php code inside it (either in EXIF data, or technique described here: https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) and save it as “*.php”

The only bit which causes some difficulties is this line:

$nice_url = $nice_url . time() . '_' . $base_name;

So you need to get the Date from the server to find out the filename.

Leave a reply


%d bloggers like this: