Arbitrary File Upload Vulnerability

This article will talk about the Arbitrary File Upload Vulnerabilities noticed on numerous WordPress website plugins and which pose a serious concern in terms of the website’s security. Some of the popular plugins affected by this are-

  • PHP Event Calendar
  • WpShop – eCommerce
  • IP-Logger
  • Open Flash Chart Core
  • Ultimate Member
  • JS Job Manager
  • KingComposer
  • 3D Product configurator for WooCommerce Users can upload various music, images, documents etc. through the mentioned tools on WordPress. But this freedom to upload can be exploited by many hackers to perform malicious tasks since they can upload PHP or ASP script files and execute them to gain access to the web server. Let us see what the vulnerabilities exactly are and how to prevent these.

Types of File Upload Vulnerabilities

There are primarily two types of file vulnerabilities observed till now in the WordPress plugins. We can name them according to the basic uploading methods that the hacker utilizes and how it leads to the breakdown of the site. These two types are-

  1. Local Upload Vulnerabilities
  2. Remote Upload Vulnerabilities Let us examine these in detail, delving into the source of the vulnerabilities and how they can be efficiently prevented.

Local Upload Vulnerabilities

It is a vulnerability where the hacker directly uploads a file to the website through a faulty application and then executes the file to fulfill the malicious task. If we look at the script “includes/ajax.php” in the Wpshop – eCommerce 1.3.9.5, we notice a vulnerability which allowed anonymous users to execute different actions (https://g0blin.co.uk/g0blin-00036/). The “elementCode” parameter names the action that can be executed. One of these is the ‘ajaxUpload’ action, which allows the upload of arbitrary files due to the lack of proper filtering of the user input. This was reported in 2015, and presently the issue has been resolved. But it exposes the vulnerability that various other plugins may contain. This led to the discovery of some basic mistakes that the developers make, and which result in loss of control. The problem arises due to the following major blunders performed-

  1. The lack of proper authentication on the part of the user results in the unclear identity of the user, and thus an unidentified person can get access to the upload page and use it for arbitrary file transfers. The hackers do not need to sign-in onto the page and still, they would be able to upload the file onto the server of the website. The developer in such a case needs to impose a check so that the identity of the user can be verified before acceptance of any kind of file from the user. The following code snippet shows how it can work for this matter.

    If(!currentusercan(‘uploadfiles’)) //Checking the users uploading permission Wpdie((‘Upload permission not granted!’)); //Further file upload process resumes

  2. The name of the file can be ambiguous, and this results in the bypassing of any checks that the developers may have implemented. For example, a PHP script file may be uploaded with the extension of an image file like “.jpg”, and this would be readily accepted as a response. But later this file can be executed by the attacker to gain access and perform other malicious tasks.

    Thus, developers need to be extra careful to check that the file extension is not tampered with and sent, which can be later executed on the web server. They can use already present WordPress native tools which check the authenticity of a given file and then give an approval. Else, the developer can use a code snippet, as mentioned below, to implement a check for the same.

$fileInfo = wp_check_filetype(basename($_FILES[‘wpshop_file’][‘name’])); //Checking the uploaded file’s extension If (!empty($fileInfo[‘ext’])) { // Valid file entered } else // Invalid file entered }

In this code the developer has implemented the “wp_check_filetype()” function to verify the extension of the file to be uploaded and hence provide permission for further steps to be performed. The function by default prevents files that are of executable type or contain executable codes to be uploaded.

Further protection can be implemented by putting a mime check that would allow only images to be uploaded. This is simply setting up an array of allowable extensions. After the file has been verified, the file upload will be handled by the native WordPress function “wp_handle_upload()”. This function would take a reference to the allowable file types entered and return an array containing the URL, path and the time of the upload being sent.

  1. You can put up a further barrier of security by checking the file for truly containing what you desire instead of attackers putting up the executable code in its place. For example, in case of images, this can be done by calling the “getimagesize()” function in PHP, which will take the header information and return the size of the image (pixels) contained in the file. This value proves the authenticity of the file and you can rest assured about it. The following sample code snippet demonstrates this.

if ([email protected]($_FILES[‘wpshop_file’][‘tmp_name’])) //checking image header for size { wp_die((‘Uploaded image is invalid!’)); //returning error message }

Remote Upload Vulnerabilities

This type of vulnerability occurs when an application on the website receives user’s instructions to download the desired file from somewhere on the Internet and store it, and then the hacker executes this file to cause problems. This mainly occurs across applications that do not accept direct downloads, but instead, ask for the URL of the file to be uploaded and the application itself downloads it from there. This file will then be saved somewhere in the local disk of the server and the attacker can gain access to this and execute the code in the file. The vulnerability found in a popular image resizing library named TimThumb, which is used across many WordPress plugins, is one example of a remote upload vulnerability. It allowed third parties to upload executable PHP files, which may be hosted on their own website, in place of images. This file would be stored in a publicly accessible storage area and then the code could be executed to compromise the web server. The files would appear harmless by the name of “Thumb.PHP” and it will be accepted by the application.

How the Vulnerability is Exploited

The attacker first detects the presence of this vulnerability on the website using tools like WPScan, which exactly tells you what vulnerability is present (in our case, file upload vulnerability) and in which tool (for example, Wpshop – eCommerce) of the website. Once confirmed, they exploit the file upload vulnerability by uploading a file directly or uploading a remote file through a given URL. After the file has been downloaded on the Web Server’s publicly accessible area, the attackers use tools like Metasploit to gain a remote shell on the platform. From this shell, they can use the server platform vulnerabilities to gain root access or they execute the file that was uploaded and compromise the security of the server.

Preventive Measures from File Upload Vulnerabilities

Now we come to the preventive measures for protecting your website from these file vulnerabilities that we just discussed -

  1. Acceptance of certain file extensions only, taking the Whitelist approach. The previously discussed code can be implemented to let only the files with the required extension to pass. This way we can reduce the risks involved with unknown extensions or uncommon ones, which may be easily compromised for executable code. Also, checking for double extensions should be done (for example, “.php.png”).
  2. Verify any file downloaded from the Internet similarly as done for direct uploads, to prevent remote file vulnerabilities. The files fetched from given URLs should be treated with equal suspicion as the previous category of uploads.
  3. Restrict your user base to authentic people so that the files they upload can be authorized without much need of checking and so that there is less chance of random attackers uploading content to your website.
  4. The files downloaded from URLs or uploaded directly by the users must be stored in such a location which is not publicly accessible. Implementing this step can ensure a 100% security from the attackers since they would not have access to the platform itself for executing any kind of code, whether native or remotely uploaded.
  5. Prefer to use the files that have been downloaded from the application itself and not from the Web Server directly. The applications have better layers of security and this will protect your platform better.
  6. Modify the uploaded file immediately after receiving such that the attacker cannot execute it. This can be done by adding a header which only you will know, and later remove it when viewing or using the file. Else, the name of the file itself can be changed to something else, which is indiscernible by the attacker.
  7. Change permissions for the uploaded files so that they cannot be executed by anyone.

Conclusion

File vulnerabilities are quite popular nowadays and they are one of the easiest methods through which an attacker can compromise your web platform. This mainly occurs due to lack of proper security measures on the part of the developer and thus the problem can be solved at the root itself by checking the incoming file. Also, you can implement security steps to further ensure that the file uploaded itself is trustworthy, by ensuring a restricted domain of users and file types. Thus, these WordPress vulnerabilities can be overcome by using simple steps.

Clean My Hacked Website Now

Website Malware Cleanup Website Malware Cleanup

Have you been hacked? Do you need help with fixing your website? We provide professional malware cleanup services to get your business back online quickly.

Removal of Security Warnings Removal of Security Warnings

If your website is hacked, your visitors may be shown a warning message. Astra will take the necessary steps to remove your website from the blacklists ASAP.

Astra Website Firewall (WAF) Website Firewall (WAF)

Stop future website hacks with Astra WAF & protect your website. No hassle out-of-the-box security tailored to your technology stack & CMSs like WordPress, Magento, Opencart etc.

Real Human Support Real Human Support

Astra's team of security engineers guide you through your security journey. We believe in customers first, so no waiting in long queues to get your queries answered.

This information is provided as part of the Astra community project. All information should be considered as-is, without guarantees. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to [email protected]

Astra Pro Plan
$228/year
Get Started
Malware Cleanup (12h)
Rock-solid Website Firewall
Automatic Malware Scanner
Bad Bot Protection
Blacklist Monitoring
File Upload Scanning
IP & Country Blocking
GDPR Consent Tool