WP elite is safe, but are you? Are you WP service (of any kind) provider like hosting company, small/big agency, developer/web master of popular WP based online solution who don’t have exclusive access to security reports and knowledge sent by researchers towards WP? If you satisfy previous condition, you are on the right place, if you are part of the elite, feel free to continue towards internal trackers to read this information sitting there for a long time.
Arbitrary file delete vulnerability a.k.a. WP scotch
WP suffer(it is present time with purpose because it is) from arbitrary file delete vulnerability, already published and “fixed” few times by WP elite. In the past I had released advisory for that vulnerability isn’t fixed and reasons why is that way:
- Delete any “thumb” file in the same directory as attachment
- Complete bypass of offered fix
- Little theory why current fix isn’t complete from input perspective and history of it
PoC arbitrary file delete
Navigate towards your wp root directory and create
delete_target.php file. After that run the following code:
Implications and conclusions from the above code
This means that anyone who can meddle with protected meta
_wp_attached_file for certain attachment, is able to carry out this type of attack e.g. that is the only one condition for successful attack. Part for the $
meta['thumb'] isn’t interesting at all, because WP sanitize the input this way (need only to exist on the file system):
$newmeta['thumb'] = wp_basename( $_POST['thumb'] );
Meddling with protected meta
Easiest way to add
_wp_attached_file is via recommended in the WP core wordpress-importer plugin. We all know that using importer is security issue by itself (options, unserialize of the user input, …), but on many projects those things are hardened and this types of attacks are impossible. That is why we have this issue, to bypass those (kidding, to patch the projects without access towards exclusive information of the WP elite). :)
Having this information as an example of vulnerable systems are wp core multisite and WooCommerce in case wordpress-importer is enabled on the system by site administrator (not network)/ shop manager. Social engineering techniques where admin/shop manager is tricked to import file supplied by rogue author are also in game, because this author role user can supply the thumb value at any time and to perform the delete in order to reset installation, delete some files or to disclose information.
p.s. Beside SE techniques there is another one way wp importer users to be blown off from low impact users as visitors :)
Is this all?
Ofc. it is not, there are few another protected meta manipulation techniques which will be disclosed in the next period (don’t worry, WP elite knows them, it is safe!)
How to protect your setup
I would advice to check the
wp_delete_file function and to create list of important files from your setup that shouldn’t be removed by any mean if you don’t want to place certain file system permissions!
WP elites are most important, they can do what they want!
If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).