Login
13 Sep 2017

Authenticated Arbitrary File Upload Vulnerability in Football Pool

Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an authenticated arbitrary file upload vulnerability in the Football Pool plugin.

The plugin has a number of admin pages that are available to users with the ‘manage_football_pool’ capability. The plugin creates a new role with that capability as well as providing it to Editor and Administrator-level users (in the file /classes/class-football-pool.php):

44
45
46
47
48
49
50
51
52
53
54

add_role( 'football_pool_admin', 'Football Pool Admin', 
			array(
				'read' => true,
				'manage_football_pool' => true,
			)
);
 
$role = get_role( 'administrator' );
if ( ! is_null( $role ) ) $role->add_cap( 'manage_football_pool' );
$role = get_role( 'editor' );
if ( ! is_null( $role ) ) $role->add_cap( 'manage_football_pool' );

Through the Matches admin page the plugin provides a upload capability intended to upload CSV files.

When the upload occurs a valid nonce is checked before the function that handles that runs, which prevents cross-site request forgery (CSRF) (in the file /admin/class-football-pool-admin-games.php):

51
52

check_admin_referer( FOOTBALLPOOL_NONCE_ADMIN );
$uploaded_file = self::upload_csv();

As of version 2.6.3, the function didn’t include any restriction on what type of files can be uploaded:

89
90
91
92
93

private static function upload_csv() {
	$err = false;
	if ( is_uploaded_file( $_FILES['csv_file']['tmp_name'] ) ) {
		$new_file = FOOTBALLPOOL_CSV_UPLOAD_DIR . $_FILES['csv_file']['name'];
		if ( move_uploaded_file( $_FILES['csv_file']['tmp_name'], $new_file ) === false ) {

Earlier today we notified the developer of the plugin of the vulnerability and they promptly released a new version, 2.6.4, which limits what can be uploaded to only files with .csv and .txt extensions:

89
90
91
92
93
94
95
96

private static function upload_csv() {
	$err = false;
	$msg = '';
	if ( is_uploaded_file( $_FILES['csv_file']['tmp_name'] ) ) {
		$new_file = FOOTBALLPOOL_CSV_UPLOAD_DIR . $_FILES['csv_file']['name'];
		$extension = pathinfo( $new_file, PATHINFO_EXTENSION );
		if ( in_array( $extension, array( 'csv', 'txt' ) ) ) {
			if ( move_uploaded_file( $_FILES['csv_file']['tmp_name'], $new_file ) === false ) {

Proof of Concept

  1. Log in WordPress as a user with the role Football Pool Admin.
  2. Visit the Matches page of the plugin, /wp-admin/admin.php?page=footballpool-games.
  3. Click the “Bulk change game schedule” button in the top right of the page.
  4. In the “Upload new game schedule” section of the page, chose a file and click the “Upload CSV” button.
  5. The file will be uploaded to the directory /wp-content/uploads/football-pool/schedules/.

Timeline

  • September 13, 2017 – Developer notified.
  • September 13, 2017 – Developer responds.
  • September 13, 2017 – Version 2.6.4 released, which fixes vulnerability.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published. Required fields are marked *