[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Fancy Product Designer for WooCommerce - Unrestricted File Upload
From: Jonathan Gregson via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2020-11-15 19:10:59
Message-ID: SA2PR22MB26826407497D7FA777163B6FA2E40 () SA2PR22MB2682 ! namprd22 ! prod ! outlook ! com
[Download RAW message or body]
## About Fancy Product Designer for WooCommerce
Fancy Product Designer for WooCommerce is a WordPress plugin which allows users to design \
custom products in a vendor's WooCommerce store. It is sold through the third-party marketplace \
"Envato Market" and boasts over 15,000 sales.
## Unrestricted File Upload
Fancy Product Designer for WooCommerce before and including version 4.5.1 contains an \
Unrestricted File Upload vulnerability.
An unauthenticated attacker is able to upload any type of file to an affected WooCommerce store \
by exploiting a Time of Check, Time of Use (TOCTOU) weakness in custom-image-handler.php's \
`url` parameter. However, the file will be saved with one of the following extensions on the \
server: jpeg, png, or svg.
Fancy Product Designer for WooCommerce provides an option to require users to log in before \
uploading images. However, an attacker is able to access the custom-image-handler.php file \
directly and upload arbitrary files without authentication.
### Details
The custom-image-handler.php file provides an interface where unauthenticated users can provide \
the URL of an image and have that image saved on the server. Before saving the file, \
custom-image-handler.php first checks the MIME type of the file and confirms that it is one of \
the following: jpeg, png, or svg. Once the file's MIME type has been verified, \
custom-image-handler.php downloads the file a second time and saves the most recent copy to the \
filesystem with an extension corresponding to the MIME type of the originally verified file.
This vulnerability can be exploited by sending a POST request to the following URL of an \
affected WooCommerce site:
/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php
With this request, the following POST parameters should be sent as form data:
- saveOnServer: 1
- uploadsDirURL: https://[affected site]/wp-content/uploads/fancy_products_uploads/
- uploadsDir: [full path to where the file should be saved on the server]
- url: [attacker-controlled URL]
The attacker-controlled URL should initially point to a valid file of type: jpeg, png, or svg. \
Once a request has been made for the file, the attacker can replace the file at the \
attacker-controlled URL with a malicious file, and the malicious file will be saved on the \
server. The URL of the uploaded file will then be returned to the attacker in response to the \
POST request.
Note: The default values for the `uploadsDirURL` and `uploadsDir` parameters can be found by \
searching for the same strings in the source of any page using an affected version of Fancy \
Product Designer for WooCommerce. Attackers are also able to provide local file paths, which \
will cause FPD to copy the specified file into the uploads directory if the file is one of the \
expected types and the server is running with sufficient permissions to read the file.
### Impact
The fact that the uploaded file will have one of the previously mentioned extensions greatly \
mitigates the impact of this vulnerability, as none of the allowed extensions will be executed \
by the server. The following scenarios are plausible by abusing this \
vulnerability:
- Stored XSS by uploading an SVG containing a malicious JavaScript payload
- Malware distribution by uploading malicious binaries and other payloads
### Proof of Concept
- Exploit code: [poc.php](https://github.com/jdgregson/Disclosures/blob/master/fancy-product-designer/unrestricted-file-upload/poc.php)
- Demo video: [unrestricted-file-upload.mp4](https://raw.githubusercontent.com/jdgregson/Disclo \
sures/master/fancy-product-designer/unrestricted-file-upload/unrestricted-file-upload.mp4)
### Disclosure Timeline
- 10/11/2020: issue reported via ticket on developer's support forum
- 10/11/2020: ticket closed by developer with no response
- 10/20/2020: developer released an update which did not address the issue
- 10/26/2020: developer released an update which did not address the issue
- 11/14/2020: full disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic