Possible file type issue

Resolved DigiP
(@digip)

12 years, 2 months ago

I don’t use this plug-in, but noticed someone made the claim about upload shell scripts via your plug-in. I pretty much called it shenanigans, since if you’re a logged in user, who has access to upload files, you would be able to arbitrarily upload any file to begin with, since any logged in use if they have access to the media uploader, could do the same thing. I don’t see it as a true attack, so much as the potential for abuse by lower level users who have login access to the site.

You can read about the supposed vuln disclosure here: http://packetstormsecurity.com/files/119159/WordPress-SB-Uploader-3.9-Shell-Upload.html

In the event a WordPress site left user registration open, and this plug-in is accessible to low level users who can’t even edit pages, but can make blog posts, I could see how it can be abused, but still, a logged in user being able to upload files is not in my eyes a true attack or vulnerability so much as maybe an abuse of their account privileges.

My suggestion though, would be to change your plug-in, to not be available to users with roles lower than admin and editor, as well as making it so no PHP files can be uploaded via your tool, and only proper media such as images, music, video and text documents can be upload. File types I would restrict, PHP, PL, SWF, and so on, so that no one can upload scripts or malicious flash files to the sites, and removing the ability for new registered users from having access if they aren’t part of the admin group role.

http://wordpress.org/extend/plugins/sb-uploader/

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Sean Barton
(@seanbarton)

12 years, 2 months ago

Thanks for this. I completely agree with you and will make that change this afternoon. I suppose it does somewhat scupper the plans of anyone using it with custom roles though. Why not make it accessible for anyone with a role higher than level_1 (subscriber). This means general users can’t send files but anyone else with any privilege can.

Since you did me the courtesy of a full explanation I will await a reply on your thoughts here as maybe you have considerations that have yet to occur to me?

thanks
Sean

Thread Starter DigiP
(@digip)

12 years, 2 months ago

Well, without looking at the plug-in itself, I haven’t seen what source code you used to add the plug-in to wordpress, but if there is an admin panel or role setting, I would make it administrator or editor, so people registering, who are generally just subscribers, wouldn’t have access to the plug-in.

In general, low level users such as readers who register to make comments, such as subscribers only, should not have upload access to your site or be able to make blog posts. If they did, well, they they should have access to the default media uploader on blog posts and pages they add anyway, so limiting the role to higher level users, would in my mind, mitigate abuse by subscribers of a site, for people who leave registration open to the public on their WordPress sites. By default, registration is turned off, so a site owner would have to enable this. If it was a site that also used something like say, S2 Subscriber plug-in, to have access to paid for pages and posts, they generally only have read access to those pay for pages and posts or download content, but in general, don’t have access to make blog posts or pages. If however this plug-in shows up under their sign ons though, they could upload a reverse shell, and then root the site to deface it, read the wp-config.php file, inject a payload to overwrite the admins password in the data base with their own, and then login as the admin, change the admins email, etc.

So my suggestion, is make the plug-in available only to administrators or editor roles.

http://codex.wordpress.org/Roles_and_Capabilities#Administrator

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Possible file type issue’ is closed to new replies.