W3 Total Cache < 0.9.5 – Authenticated Arbitrary File Upload

Description

When you're creating a support ticket in the plugin page, you can add one or more of your files from your computer.

Then this file will be send to the author to help him resolving the issue.

When we look at the code, W3TC is doing that:
**********
/**
* Attach other files
*/
if (!empty($_FILES['files'])) {
$files = (array)$_FILES['files'];
for ($i = 0, $l = count($files); $i < $l; $i++) {
if (isset($files['tmp_name'][$i]) && isset($files['name'][$i]) && isset($files['error'][$i]) && $files['error'][$i] == UPLOAD_ERR_OK) {
$path = W3TC_CACHE_TMP_DIR . '/' . $files['name'][$i];
if (@move_uploaded_file($files['tmp_name'][$i], $path)) {
$attachments[] = $path;
}
}
}
}
**********
and
**********
/**
* Remove temporary files
*/
foreach ($attachments as $attachment) {
if (strstr($attachment, W3TC_CACHE_TMP_DIR) !== false) {
@unlink($attachment);
}
**********

Ok, so, when you submit the form as an administrator, W3TC uploads our file in its temporary folder /wp-content/cache/tmp/ then will delete them right after that, the file will live only a few milliseconds.

But what if I try to send 2 files, the first one is a 2 Kb malicious PHP file containing a backdoor, the second one is a 20 Mb file. The submission will last more longer, the first file won't be deleted since the second one is not uploaded, I can now access to the first file.

An administrator is not always allowed to execute custom PHP code, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.