Support » Plugin: Add From Server » WARNING Vulnerability in v3.3.3

  • Resolved crustystainedtowel

    (@crustystainedtowel)


    Add From Server <= 3.3.3 – Authenticated Path Traversal to Arbitrary File Access

    Description
    An authenticated attacker with low permission can read arbitrary files on server using Path Traversal.

    Edit (WPScanTeam):
    August 11th, 2020 – Escalated to WP
    August 15th, 2020 – WP investigating
    September 6th, 2020 – No updates, disclosing
    Proof of Concept The PoC will be displayed once the issue has been remediated.

    https://wpvulndb.com/vulnerabilities/10391

    DO NOT USE UNTIL IT GETS FIXED!!!

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Thread Starter crustystainedtowel

    (@crustystainedtowel)

    @sterndata Remove this topic if that’s the case. However, this should be fixed.

    Plugin Author dd32

    (@dd32)

    Meta Developer

    Hi all,

    As posted in the recent thread mentioning this: https://wordpress.org/support/topic/path-traversal-lead-to-arbitrary-file-reading/#post-13374155

    Hi,

    This plugin is intentional in how it works – it allows accessing any file on the server by design.
    It should not be used by untrusted users on a site.

    The security report is nothing more than missing the fact there’s a link on the page that goes to that exact place (so no URL modifications required).

    If it’s being used on a server with untrusted users, there’s an option in the plugin settings to lock it to a specific Root Directory which will prevent untrusted users being able to access all server files (Untrusted users being non-administrators, administrators can install plugins/edit plugins/etc and as such are trusted users that can access things like that).

    This plugin should really not be used today, there’s almost zero reason to use it, use the browser upload tools or contact your webhost to fix it so that the uploader works for you. 13 years ago when this plugin was written there was a real need, today not so much.

    tl;dr: There’s no security issue here, it’s working exactly how it’s intended to, but you probably shouldn’t be using it.

    If this is enough to make you finally stop using the plugin, so be it, but many of you use it for the exact reason that the “researcher” claims is a vulnerability.. you can’t have it both ways.

    Thread Starter crustystainedtowel

    (@crustystainedtowel)

    I didn’t see the other thread when I posted this. My apologies. Unfortunately, I cannot modify or delete it. @sterndata was able to approve it, should also remove it.

    It’s good to know, there is no security issue for “admin” Administrator as I’m the only one that deals with my website 🙂

    This plugin should really not be used today, there’s almost zero reason

    The reason I use it is I have downloaded zips in other custom folders in wp-content/uploads that I upload by cPanel File Manager. I do this because I don’t want these downloads mixed in the year folders as it makes it easy for me to swap and so on. The problem is, WordPress Media Library won’t show those download zips by default.

    So this is where your plugin comes in. It will show them in the media library with the URL to the folder for WooCommerce. Sure, I could just copy the URL path manually from cPanel and add that in the digital products page, but your plugin makes it much easier.

    If you say I shouldn’t use it anymore, please point me to something that does the same but still is updated.

    So yeah, I have 1 use for it! It’s wonderful and lightweight.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    As it’s not a vulnerability — or more accurately, a deliberate thing — the entire topic is now publicly visible.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WARNING Vulnerability in v3.3.3’ is closed to new replies.