WordPress.org

Ready to get started?Download WordPress

Forums

Visual Form Builder
[resolved] File upload vulnerability? (6 posts)

  1. Tom Auger
    Member
    Posted 1 year ago #

    Sorry, what a pain, right? I notice that you're not changing the uploaded file's filename at all, and are just storing it in the uploads folder. Doesn't this open up a massive vulnerability, since you're letting anonymous users upload a file, possibly spoofed, and then immediately access that file, now on the server, in an easily guessable location?

    What if the uploaded file were a webshell?

    Okay, you enforce a file extension check, but I don't know if that's a 100% guarantee against an executable upload.

    Please note the relatively recent vulnerability that struck MMForms, and is the reason that plugin is now blacklisted on many sites.

    My recommendation is to hash the filename, or at least create a new folder for each upload with an unguessable, unique hash. That way an anonymous user can't just upload a file and then access it immediately without any verification / validation at all. hackers notwithstanding, imagine someone (ab)using the upload form to upload questionable material and then immediately guessing and posting a link to that material to a file sharing site? Suddenly your plugin's admin is unwittingly hosting a shared file without even knowing it!

    Something to consider. You may want to simply remove the file upload field for now until you have that issue addressed.

    http://wordpress.org/extend/plugins/visual-form-builder/

  2. kenrichman
    Member
    Posted 1 year ago #

    No guessing required; the URL is contained within the email that the user gets a copy of.
    It's really not ideal for the files to be stored in the uploads folder.

  3. Tom Auger
    Member
    Posted 1 year ago #

    Even scarier. I haven't checked to see whether the upload form uses nonces or not, but if not, there could be a real hole here.

  4. Matthew Muro
    Visual Form Builder Pro
    Plugin Author

    Posted 1 year ago #

    Please note the relatively recent vulnerability that struck MMForms

    My code is not even remotely close to how they uploaded files.

    Even scarier. I haven't checked to see whether the upload form uses nonces or not, but if not, there could be a real hole here.

    Maybe you should look before spreading FUD.

    It's really not ideal for the files to be stored in the uploads folder.

    You are welcome to change this. Here's a tutorial on how to customize the upload directory.

  5. kenrichman
    Member
    Posted 1 year ago #

    Thanks for the tutorial - I have made this change and it works, I can now upload to a different directory.

  6. Tom Auger
    Member
    Posted 1 year ago #

    Hey Matt, I'm sorry if my comments appeared to be defamatory. I can tell from your responses that you're upset. That was not my intention.

    I don't know what FUD is, but I guess it's not a nice acronym. At any rate, I accept that I haven't checked too deeply into your code, but then again, you could have just explained how your code is structured to prevent security issues.

    Not trying to bust your chops. Just looking at ways to improve your already great plugin.

    Be well,

    Tom

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic