slavco
slavco
Oct 10, 2018 · 2 min read

We all know that WordPress powers more than 30% of the web and web is let say colorful, full of images. Many web sites grab images from online services/pages with or without permission, but the end goal is obvious, to display the images towards end users — hot-linking we all know isn’t option. This means WP need to process the images, but before that images need to be handled — verified.

ImageMagic

We all know about ImageTragic and current ghoscript issues. In the past even WordPress shared their concerns, but is this enough? Past and current issues in IM coders (ghostscript can’t be disabled, will make it useless) will result in RCE towards the server, but as we all know WP is web application and impact from image processing libraries need to be considered from every perspective. This means that LFI, SSRF are also valid issues that could result in RCE towards WP and those scenarios aren’t taken into consideration.

From IM specification we can learn that many image formats are supported and many of them have some exotic features, but also from its code we can learn that not every supported format ships desired security considerations…

Images

Yes, WP supports upload of images (form upload, via its services endpoints or simply by pooling images from external locations — check popular plugins) and it supports image manipulation via wp_get_image_editor . From the code we learn that image format is determined by its extension wp_check_filetype and image processing library is chosen. ( If installed on the server/PHP ImageMagic) will be used and that means that if magic bytes and image format doesn’t work IM will try to solve the image, but also there is option IM to switch to another format processing while doing first one… Everyone will say that those are the final steps and image validation is done while setting image under storage / uploads directory. Yes, but check this one… or maybe there is option to completely bypass those lousy checks and put a file as valid image based only on its extension?

Summary

WordPress is doing nothing from image validation perspective ( not talking about another file formats if allowed for upload, but for it defaults) and like that gives open door towards:

  1. RCE attacks
  2. LFI — will result in RCE towards WP
  3. SSRF — will result in RCE in some modern hosting choices
  4. CSRF — in case of browser content players usage

Regarding server side software updates please take in consideration installed PHP versions on production servers, operating systems, IM version out there…

Image is witness for the beauty, good, bad, scotch… :D

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade