Someone reported to us that our Plugin Vulnerabilities Firewall had blocked an attempt to exploit what turned out to be an arbitrary file upload vulnerability in the plugin HB AUDIO GALLERY. The blocked request was sent to the plugin’s file /lib/upload_picture.php. The relevant code that allows arbitrary file uploads in the file is this:

21
22
23
24
25
26
27
28
29

$fileName =  time() . '_' . basename($_FILES['picture']['name']);
$success = false;
$uploadDir = HBAG_IMAGE_UPLOAD_DIR;
$targetPath = $uploadDir . $fileName;
$aid = $_POST['audio_id'];
$targetPathUrl = PICTURE_DIR_URL . $fileName;
 
//Upload file to server
if (move_uploaded_file($_FILES['picture']['tmp_name'], $targetPath)) {

That takes a file sent with a request with the FILE name set to “picture” and uploads it to a directory on the website. For those using PHP 8 or higher, the vulnerable code doesn’t work, as the constant HBAG_IMAGE_UPLOAD_DIR used hasn’t been defined before being used.

The file will include the time the file was uploaded as specified by time() prepended to the name of the plugin. And it will stored in the file plugin’s /lib/ directory.