Is There Supposed to Be a Gravity Forms Folder in the Uploads Directory?
During our regular cleanup process we came beyond a reinfection example that caught our attention.
This particular environment didn't have anything special or fancy, it was an updated WordPress installation and had 3 out-of-date plugins; that'south pretty reasonable.
After running through our processes and cleaning the surround we kept coming back to a reinfection; the attacker kept uploading nefarious files on the server.
This got usa very curious and so nosotros had to dig a lilliputian deeper.
The malicious files were being uploaded to '/wp-content/uploads/gravity_forms' and '/wp-content/uploads' on February 21st, only how?
While Forensics is not a default offer and the customer was non using our Website Firewall (which would have prevented the reinfection), we do love a proficient challenge. So why not investigate when the cases are curious – such as this 1. Fortunately, we had access to the logs and were able to observe some interesting requests to those particular files.
With that in mind, we started looking for unlike variations of "_input_" and found a lot requests to those files.
We went back a few days in the logs to find what preceded those requests and where they could have come from.
In analyzing the files, we came across these requests to "?gf_page=upload"; that sounds interesting doesn't information technology?
We searched for that cord in the file organization and constitute an case within the WordPress plugin GravityForms (out-dated version ane.8.19).
Gravity Forms is a WordPress plugin used originally for contact forms, but in a more full general sense, it allows site owners to create forms to collect information. Gravity Forms can exist used for contact forms, WordPress post cosmos, calculators, employment applications and more than.
Written in PHP, Gravity Forms uses many WordPress born functions and features to ability its course builder. Information technology also uses the aforementioned MySQL database organization as WordPress, but stores all forms and entries in its own tables.
Gravity Forms is open source and GPL licensed. All of the code included is unencrypted, and easy to modify. Nosotros've added in tons of hooks and filters to be able to customize Gravity Forms to your hearts content.
Upon further investigation, we found "?gf_page=upload" within mutual.php in line 3635.
It was very interesting, not in a expert way though; in that location was no sanitization of that request.
For testing purposes, I requested "?gf_page=upload" to run across what would happen and interestingly enough, we got this:
Which atomic number 82 to searching where the message was being processed.
From checking the upload.php, nosotros encounter that $_REQUEST["form_id"] has to be set otherwise the upload fails.
Keep in mind that at this time, we already bypassed whatsoever protections that could prevent unauthorized users from accessing that resource.
I set the value of form_id to 1 and fabricated another asking in a crafted upload grade and this time the error was a little bit dissimilar.
As I tried sending a exam.php, we hitting a function file_name_has_disallowed_extension() that didn't permit the file to be uploaded, but we're stubborn, so let's not requite upwards.
By checking the announcement of those functions in common.php we found out why this happened.
There'due south a list of disallowed extensions in get_disallowed_file_extensions() that the part file_name_has_disallowed_extension() checks against, and PHP is among the extensions in the listing.
It basically means that we can't upload .PHP files, right? Wrong – and permit's encounter why.
Inside includes/upload.php, we come across that we take total control over the filename that is beingness uploaded besides how the file is saved into the server. The lines 54 and 55 give u.s.a. such power through elementary HTTP requests.
We likewise come across that if $field is empty, the execution dies (59,sixty), so we set a value of one to field_id.
Later on changing the filename from examination.php to examination.jpg we got a very interesting response.
The file was uploaded to the server but its proper name is _input_1_, therefore we tin can't do much with it.
Information technology turns out that this is how the temp_filename is created:
Breaking that down, we have the following:
$form_unique_id = We didn't ready any value here _input_ = Hardcoded $field_id = Nosotros fix that 1 equally mentioned above _ = Harcoded $file_name = We control this information, therefore we can gear up .php here
Our $tmp_file_name is prepare to go and we finally accept what nosotros were looking for! 🙂
Conclusion
From checking the changelog for Gravity Forms we come across that the security ready was applied in the version (1.viii.20) please update ASAP: http://world wide web.gravityhelp.com/gravity-forms-v1-viii-20-released/
Gravity Forms v1.8.20 is now bachelor via automatic update and the customer downloads page. This is an important security and maintenance release.
We recommend all users update equally soon as possible. Information technology is important to ever keep WordPress, plugins and themes upwardly to date as a matter of best practice.
- Fixed a security issue with the file upload field.
The versions one.8.19 and lower might be affected by this vulnerability.
We always say that keeping all software updated is i of the most important steps yous can have towards reducing the risks of infection and this mail service is a skilful example of why.
This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible. If for whatsoever reason you lot cannot, we highly recommend you to accept a look at our Website Firewall (WAF) product. It's designed to help you stay ahead of vulnerabilities like the ane described here, and many more.
Source: https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html
0 Response to "Is There Supposed to Be a Gravity Forms Folder in the Uploads Directory?"
Publicar un comentario