Autoptimize < 2.7.8 – Arbitrary File Upload via "Import Settings" | CVE 2021-24376

Description

The plugin attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.

Proof of Concept

Regularly, zip which contained a PHP file was extracted, but the PHP extension was not on a white list so it was removed from the disk afterwards. It turned out that it is possible to upload a zip which contained a directory with PHP file in it and then it was not removed from the disk. 

Upload can be done using Import Settings functionality available in the following directory: http://localhost:8000/wp-content/uploads/ao_ccss/dir/wp-admin/options-general.php?page=ao_critcss 

Example content of an archive:
$ zip -sf rce.zip
Archive contains:
  dir/
  dir/index.php
  settings.json
Total 3 entries (20 bytes)

Example content of dir/index.php file:
<?php phpinfo() ?>

settings.json is an empty file.

As you can see, there is a "dir" directory inside a zip which contains index.php file. Both will not be removed from the disk after being extracted. After the upload, file can be accessed by visiting such address: http://localhost:8000/wp-content/uploads/ao_ccss/dir/ 

Due to the fact that file is named index.php, there was no need to include file name in the address.