Our Proactive Monitoring Caught an Authenticated Arbitrary File Viewing Vulnerability Being Introduced in to Apply Online
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file viewing vulnerability being introduced in to the plugin Apply Online.
The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool.
The vulnerability occurs in the function output_attachment():
529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 | function output_attachment(){ if(current_user_can('read_application') AND isset($_REQUEST['aol_attachment'])){ // the file you want to send $path = $_REQUEST['aol_attachment']; // the file name of the download, change this if needed $public_name = basename($path); $mime_type = mime_content_type($path); // send the headers header("Content-Disposition: attachment; filename=$public_name;"); header("Content-Type: $mime_type"); header('Content-Length: ' . filesize($path)); if( !function_exists('finfo_open') ){ echo file_get_contents($path); |
That will output the contents of a file specified by the GET or POST input “aol_attachment”.
Accessing that functionality in the function requires the “read_application” capability. The plugin provides that capability to those with Administrator role, as well to new roles created by the plugin, AOL Manager and AOL Jury, with the latter role having less capabilities. Users with those roles also have the level of access needed to access the function in the first place, as can be seen with the proof of concept below.
To fix this it looks like the functionality should limit what files can be viewed to only ones in the directory that stores attachments uploaded through this plugin.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since multiple previously full disclosed vulnerabilities were quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Proof of Concept
The following proof of concept will show the contents of the WordPress configuration file, when logged in as a user with the AOL Jury role.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/?aol_attachment=../wp-config.php
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.
AOL Manager & AOL Jury both user roles are internal user roles (e.g staff of the company) & only a WP Administrator user can assign these two roles to a user. They are not like WooCommerece customers, where you buy a product & got a user account with CUSTOMER user role.
So, if an AOL MANAGER or AOL JURY role is accessing a file, that is by the will of the Administrator. A hacker can never get access to these files untill an administrator wants.
This article leads to a false assumption. Please remove this article.
Thank You!
We noted the limited roles that are able to access this, but that doesn’t mean it isn’t a vulnerability, since those users shouldn’t be able to do what they are able to do.
That is not a vulnerability at all. Do you think “edit_themes” & “edit_plugins” default WP capabilities are vulnerabilities to WordPres system where a user with these caps can write any sort of good & evil code in the theme’s functions & plugins files?
“read_application” is a similar capability has been created for Administrator, AOL Manager & AOL JURY roles to perform some advanced functionalities including accessing files in the private folders, that were attached to application forms sent by the applicants.
Being the plugin developer let me tell you again, these roles are very limited, very controlled & internal. This article is based on a false assumption & must be removed for the benefit of WP Coummunity.
Thank you again!
Based on the name of the capability, “read_application”, and your description of what it is intended to allow, it shouldn’t allow someone to view the contents of arbitrary files on the website, which is what is at issue.
Again, we noted the limited roles that are able to access this, but that doesn’t mean it isn’t a vulnerability, since those users shouldn’t be able to do what they are able to do.
“read_application” capability allows private & internal user roles (Administrator, AOL Manager & AOL jury) to read, access & analyze received applications with attachments. Attachments are saved in the private folders to restrict public access to them & to allow access to above mentioned roles only. This intention is purely not a vulnerability but a desired functionality for internal & private user roles only.
Thank you!
The intended functionality isn’t a vulnerability, which is why in the post we noted this as the solution:
So you need to limit the access to what it is intended and that fixes the vulnerability.
Dear Author,
As admitted by you in your comment: “The intended functionality isn’t a vulnerability, which is why in the post we noted this as the solution”
But the tags, categories & Topic of this article which contains “Authenticated Arbitrary File Viewing Vulnerability Being Introduced” is completely misleading that is why i have requested you many times to please put this post down as a good will gesture.
I have explained everything technically in my previous comments that the use of “read_application” capability check in the start of the output_attachment() function rules out any threat of vulnerability because this capability is assigned to internal, private & controlled user roles which are Administrator, AOL Manager & AOL Jury. Only Administrator can assign Manger & Jury roles to a user(their hired office staff) for viewing, analyzing & assessing Application Forms & attachments sent by the Applicants.
Side Note: I really appreciate your efforts for Pro Active Monitoring of the plugins. When police stops people on the road, they do not always put a fine on them, they also let them go when there is no rule break.
Cheers!
We didn’t say there isn’t a vulnerability, what we said is that “the intended functionality isn’t a vulnerability”, but the functionality isn’t limited to that, which is where the vulnerability comes in. Just look at the proof of concept we included in our post, it allows viewing the contents of WordPress’ configuration file, which isn’t something that the functionality is intended to allow.
When the file view function is limited to the hired & paid staff of the website in the limited & controlled environment and administrator knows that he is giving rights by his own will then where the vulnerability comes in?
You must know that users with “edit_themes” and “edit_plugins” default capabilities have rights to put any GOOD or EVIL code in the WordPress system. But that is not considered vulnerable due to the requirement of the system. My dear in the same way, ApplyOnline plugin is giving rights to the hired/paid Manager & Jury staff to access files in the controlled & private environment. That is simply not a vulnerability but a useful functionality!
It isn’t controlled, as any file on the website can be viewed instead of just the intended ones, that is the vulnerability here. Instead of continuing to claim there isn’t a vulnerability, just fix it.
You are avoiding answer to the 2nd part of my last comment i.e. “edit_theme” or “edit_plugin” capabilities which give rights to a user to edit any file of any plugin & any theme.
We already have tried to explain this to you multiple times, the issue with your code is that it is allowing users to do something they are not intended to being doing as the code allows viewing the contents of any files, not just the intended ones. So the relevant metaphor would be if a user was given the “switch_themes” capability and then they were allowed “to edit any file of any plugin & any theme.”
Instead of continuing to claim there isn’t a vulnerability, just fix it.
Farhan, this site has NOTHING to do with you, the WordPress community, or security. This website is solely a pity party cry baby account that wines, pisses and moans because WordPress doesn’t do what they want. Yes, they even say as much all over their site. Then, they tell you to tell WordPress to stop their behavior and they will stop theirs. Sound like a 5 year old yet? Just forget about this site, this page, and these people. They are A JOKE and laughing stock. I talked with a member of WP Engine yesterday, another plugin developer that makes membership plugins, the WordPress top moderator, and others; and they all know about this guy. Guess what? He doesn’t have a good image with any of them. His plugin / company are a joke because of the way he goes about things. There would be use for what he is doing if he could do it in a constructive way. But this person’s parents never taught them how to get over themselves or spend their time constructively. Bottom line? This company is already in bad standing with everyone in the WP community and is not seen as doing good, just seen as an out of control lunatic posting nonsense. I will warn though that this loser will report you to WordPress.org so you may want to look into your issue and fix it before the plugin team has no other choice but to pull it temporarily. Got to love cry babies!
You seriously need to get help, because this is not the reaction an adult should have to someone disclosing that their plugin contains a vulnerability. What you are saying doesn’t even make sense, as you are claiming that we are a “JOKE and laughing stock”, but at the same time claiming that we actually correctly identify issues and the plugin teams pulls them for those. If you actually read what WordPress Plugin Directory team suggests doing if you find a vulnerability in a WordPress is to report it to them, which then leads to it being removed. That isn’t what we do, since we are full disclosing vulnerabilities and only leaving a message for the developer through the WordPress Support Forum until the moderation of the WordPress Support Forum is cleaned up, but what you are claiming we are doing is what they suggest doing.
You are not only a joke, you’r DANGEROUS. It is dangerous to users of plugins to have the exploit for a hacker to just lookup and find. You have a great idea! You really do. But your efforts are in vein because of how you do it. You are creating a public spot hackers squat on to watch for these things. Your are doing their work for them while they sit back and sip coffee. It is irresponsible (at the very best) to show how to bust into someone’s website and exploit it. No mincing words or full disclosure this or that is going to change that fact. You are DANGEROUS. Want to help? Work with the plugin author. And, YES, by all means contact Otto or plugins@wordpress.org. THAT is what you SHOULD do. But making a post showing how to exploit a website is dangerous for the owner of that site. And, just because you don’t get your way to post it wherever you damn well please (WP support forums) doesn’t give you the right to do so. You have Otto and plugins@wordpress.org as well as the plugin author themselves to work with. Why don’t you focus on building your vision and your product? Why do you spend your time at war with WP.org? C’mon man! It really isn’t worth your time. What is $$$ your time is to correct your approach and market yourself.
We don’t know what is wrong with you, but you clearly should get help. You don’t seem to realize your ranting in the comments section of multiple of our posts that are not related to the vulnerability in your plugin isn’t showing that we have a problem, but that you have one.
Is this forum really helpful for Hackers? It sound alarming as it is providing support to underworld.
You are replying to a blog post, so we don’t know what forum you are referring to.