Support » Requests and Feedback » WordPress file upload vulnerability

  • One can easily change the extension of any malicious file such as .exe,.php to .jpg and upload it. Why there is no restriction of actual type of file?

Viewing 13 replies - 1 through 13 (of 13 total)
  • Moderator Steve Stern

    (@sterndata)

    WP checks the mime type against the extension, when possible, limiting the exposure.

    See https://developer.wordpress.org/reference/functions/wp_check_filetype_and_ext/

    • This reply was modified 1 month, 3 weeks ago by  Steve Stern.
    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    There are restrictions on file type. You cannot upload EXE or SWF files at all. And you cannot upload HTML files unless you are logged in as an Administrator account.

    But here’s the thing: if you upload a PHP file renamed to a JPG, then it won’t work anymore. Names of files matter too. Webservers won’t execute a JPG file. They’ll just send it to the browser where it tries to display it, and fails, because it’s not actually an image.

    You can upload the file by just renaming something.exe to something.exe.jpg

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    You can upload the file by just renaming something.exe to something.exe.jpg

    I will certainly regret asking:

    How is that a vulnerability? I mean, walk me through it step by step.

    This upload insecurity presents a high risk to the business since an attacker with physical access to the victim’s system can upload malicious contents into the application.

    Adam

    (@adamlachut)

    Attacker with physical access will not use WP uploader to upload files

    Well in my view WordPress should check the content rather than mime type. I have renamed a file from exe to jpg and it got uploaded. Being such a popular CMS, it should implement this security feature

    Adam

    (@adamlachut)

    In fact, you may add vulnerable code to .jpg file and upload this file (it’ll pass mime type checking). You may even prepare fake .jpg file full of code. But you can’t use this malicious code if you will not upload/modify other files (like .php files) or, for example, modify .htaccess etc.
    As @jdembowski wrote before:

    I will certainly regret asking:
    How is that a vulnerability? I mean, walk me through it step by step.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    an attacker with physical access to the victim’s system

    That’s not a WordPress vulnerability and if someone malicious has access to the file system to write files then WordPress isn’t the problem. And the attacker would never use the file upload capability of WordPress.

    Why would they? They already have access without WordPress.

    Well in my view WordPress should check the content rather than mime type.

    Being such a popular CMS, it should implement this security feature

    That’s not a security feature because it attempts to get out of WordPress and enforce security there. That’s just not a really good design for any CMS.

    That would be prohibitively difficult for the following reasons.

    1. It would not be reliable and false identifications would prevent users from uploading legitimate files.
    2. WordPress is written in PHP and it’s not a anti-virus or content filter. That’s a lot of code and processing to implement.
    3. It would be an attempt to fix problems outside of WordPress, such as a misconfigured web server or someone with physical access to the file system.

    There are add-ons that would do that scanning (security plugins) but those are in a whole different world of code and support. I’ve never used a security plugin but don’t fault people who do.

    A web server should not execute code on the wrong file type (extension). If you upload a .JPG file and it’s really a PHP file, the web server should not execute it.

    A PC or Mac should not download a MIME type that’s .JPG file and let the use run it as an executable. That’s not a WordPress issue either.

    If those happen then that’s still not a WordPress security issue.

    I am not satisfied and there is not too much code for this. A simple code:-

    $finfo = finfo_open();
    $mimeType = finfo_file($finfo, $fileTmpName, FILEINFO_MIME_TYPE);
    finfo_close($finfo);

    Will do the trick. It will check the exact mime type

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    I’m glad you think you’ve managed to reduce it to the simplest terms but that’s not going to do it for the reasons I’ve already stated.

    Rather than try and convince others here, why not submit a patch?

    https://make.wordpress.org/core/handbook/tutorials/trac/submitting-a-patch/

    I don’t think it’s a bad idea, I just don’t think it’s supportable or worth including. But take heart! It’s not up to me. 😉

    Submit a patch. Don’t just say “It should be easy” (and it never is), actually work on the problem you’ve presented.

    Ok let me come up with a plugin for this 🙂

    Your code requires the PHP fileinfo extension. Many people do not install that extension due to its large memory requirement.

    Personally…if WordPress is going to require a new PHP extension, mbstring and mysqli are IMO much, MUCH higher on the priority list.

Viewing 13 replies - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.