WP checks the mime type against the extension, when possible, limiting the exposure.
See https://developer.wordpress.org/reference/functions/wp_check_filetype_and_ext/
There are restrictions on file type. You cannot upload EXE or SWF files at all. And you cannot upload HTML files unless you are logged in as an Administrator account.
But here’s the thing: if you upload a PHP file renamed to a JPG, then it won’t work anymore. Names of files matter too. Webservers won’t execute a JPG file. They’ll just send it to the browser where it tries to display it, and fails, because it’s not actually an image.
You can upload the file by just renaming something.exe to something.exe.jpg
Moderator
Jan Dembowski
(@jdembowski)
Brute Squad and Volunteer Moderator
You can upload the file by just renaming something.exe to something.exe.jpg
I will certainly regret asking:
How is that a vulnerability? I mean, walk me through it step by step.
This upload insecurity presents a high risk to the business since an attacker with physical access to the victim’s system can upload malicious contents into the application.
Attacker with physical access will not use WP uploader to upload files
Well in my view WordPress should check the content rather than mime type. I have renamed a file from exe to jpg and it got uploaded. Being such a popular CMS, it should implement this security feature
In fact, you may add vulnerable code to .jpg file and upload this file (it’ll pass mime type checking). You may even prepare fake .jpg file full of code. But you can’t use this malicious code if you will not upload/modify other files (like .php files) or, for example, modify .htaccess etc.
As @jdembowski wrote before:
I will certainly regret asking:
How is that a vulnerability? I mean, walk me through it step by step.
Moderator
Jan Dembowski
(@jdembowski)
Brute Squad and Volunteer Moderator
an attacker with physical access to the victim’s system
That’s not a WordPress vulnerability and if someone malicious has access to the file system to write files then WordPress isn’t the problem. And the attacker would never use the file upload capability of WordPress.
Why would they? They already have access without WordPress.
Well in my view WordPress should check the content rather than mime type.
Being such a popular CMS, it should implement this security feature
That’s not a security feature because it attempts to get out of WordPress and enforce security there. That’s just not a really good design for any CMS.
That would be prohibitively difficult for the following reasons.
- It would not be reliable and false identifications would prevent users from uploading legitimate files.
- WordPress is written in PHP and it’s not a anti-virus or content filter. That’s a lot of code and processing to implement.
- It would be an attempt to fix problems outside of WordPress, such as a misconfigured web server or someone with physical access to the file system.
There are add-ons that would do that scanning (security plugins) but those are in a whole different world of code and support. I’ve never used a security plugin but don’t fault people who do.
A web server should not execute code on the wrong file type (extension). If you upload a .JPG file and it’s really a PHP file, the web server should not execute it.
A PC or Mac should not download a MIME type that’s .JPG file and let the use run it as an executable. That’s not a WordPress issue either.
If those happen then that’s still not a WordPress security issue.
I am not satisfied and there is not too much code for this. A simple code:-
$finfo = finfo_open();
$mimeType = finfo_file($finfo, $fileTmpName, FILEINFO_MIME_TYPE);
finfo_close($finfo);
Will do the trick. It will check the exact mime type
Moderator
Jan Dembowski
(@jdembowski)
Brute Squad and Volunteer Moderator
I’m glad you think you’ve managed to reduce it to the simplest terms but that’s not going to do it for the reasons I’ve already stated.
Rather than try and convince others here, why not submit a patch?
https://make.wordpress.org/core/handbook/tutorials/trac/submitting-a-patch/
I don’t think it’s a bad idea, I just don’t think it’s supportable or worth including. But take heart! It’s not up to me. 😉
Submit a patch. Don’t just say “It should be easy” (and it never is), actually work on the problem you’ve presented.
Ok let me come up with a plugin for this 🙂
Your code requires the PHP fileinfo extension. Many people do not install that extension due to its large memory requirement.
Personally…if WordPress is going to require a new PHP extension, mbstring and mysqli are IMO much, MUCH higher on the priority list.
Steven Stern (sterndata).
