File Upload flaw in Wordpress
When an application accepts specific kinds of uploads, it should check them for their validity of being the specific kind only. For example, if you want to allow users upload only .doc files, you should be checking the file thoroughly for being a .doc file only. At basic level, thereâs no special programming or resources needed, just match the file signature with its extension. For example, the file signature for .doc (Microsoft documents file) is âD0 CF 11 E0â (ref: File Signatures on Wikipedia)
WordPress allows users to upload only a limited kinds of files like doc, pdf, gif, jpg. But while uploading, it does not check the file signatures but just the extensions. Hence anybody can upload any kind of file by changing the extension, and WordPress will host it.
If in case WordPress is restricting files like .exe or .rar to be safe from hosting malwares-virus-trojans, they are doing it wrong. Currently we are not concerned about downloading those any-kind-of-files with valid extensions, but with uploading such files to WordPress blog. If we can upload any kind of file without considering the file signature, it may be possible for the bad-guys to upload anything and lure users to download it anyhow. While in the Insert Media menu, they mention âAllowed File Typesâ, instead they should be mentioning âAllowed File extensionsâ â as they are checking the extensions only.
If we take the case of GMail, while attaching a file, it checks it thoroughly (kind-of!) so that users canât attach an .exe file. Even if someone zips the exe, it will catch the steganography and skip attaching the file. But in case of WordPress, you are now aware what happens to file upload. Thus Wikipedia can act as a File-sharing site too (not considering the extensions).
Below is a link of Win32.Polip.A virus, which was a .rar file and I uploaded it by altering the extension to .doc. (Download it at your own risk! This is purely a virus and I am not responsible for any harm.)
Polymorphic File Infector Archived File
Bingo! (I tried to contact WordPress Support, but I read that I need to post that in forums and I canât contact the support team directly unless I am a paid-customer. Hence, here I am, making this infomation public.)*