We all know that WordPress powers more than 30% of the web and web is let say colorful, full of images. Many web sites grab images from online services/pages with or without permission, but the end goal is obvious, to display the images towards end users — hot-linking we all know isn’t option. This means WP need to process the images, but before that images need to be handled — verified.
We all know about ImageTragic and current ghoscript issues. In the past even WordPress shared their concerns, but is this enough? Past and current issues in IM coders (ghostscript can’t be disabled, will make it useless) will result in RCE towards the server, but as we all know WP is web application and impact from image processing libraries need to be considered from every perspective. This means that LFI, SSRF are also valid issues that could result in RCE towards WP and those scenarios aren’t taken into consideration.
From IM specification we can learn that many image formats are supported and many of them have some exotic features, but also from its code we can learn that not every supported format ships desired security considerations…
Yes, WP supports upload of images (form upload, via its services endpoints or simply by pooling images from external locations — check popular plugins) and it supports image manipulation via
wp_get_image_editor . From the code we learn that image format is determined by its extension
wp_check_filetype and image processing library is chosen. ( If installed on the server/PHP ImageMagic) will be used and that means that if
magic bytes and image format doesn’t work IM will try to solve the image, but also there is option IM to switch to another format processing while doing first one… Everyone will say that those are the final steps and image validation is done while setting image under storage / uploads directory. Yes, but check this one… or maybe there is option to completely bypass those lousy checks and put a file as valid image based only on its extension?
WordPress is doing nothing from image validation perspective ( not talking about another file formats if allowed for upload, but for it defaults) and like that gives open door towards:
- RCE attacks
- LFI — will result in RCE towards WP
- SSRF — will result in RCE in some modern hosting choices
- CSRF — in case of browser content players usage
Regarding server side software updates please take in consideration installed PHP versions on production servers, operating systems, IM version out there…
Image is witness for the beauty, good, bad, scotch… :D
If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).