WordPress任意文件上传漏洞

WordPress任意文件上传漏洞

WordPress是一款免费的论坛Blog系统。

WordPress中负责上传文件的代码如下：

漏洞文件：'wp-admin/includes/file.php'

Bugtraq ID:  37005 
Class:  Input Validation Error 
CVE:  
Remote:  Yes 
Local:  No 
Published:  Nov 11 2009 12:00AM 
Updated:  Nov 12 2009 03:56PM 
Credit:  Dawid Golunski 
Vulnerable:  WordPress WordPress 2.8.5
WordPress WordPress 2.8.4
WordPress WordPress 2.8.3
WordPress WordPress 2.8.2
WordPress WordPress 2.8.1
WordPress WordPress 2.8

描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 37005

WordPress是一款免费的论坛Blog系统。

WordPress中负责上传文件的代码如下：

wp-admin/includes/file.php:

---[cut]---
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
---[cut]---
// All tests are on by default. Most can be turned off by $override[{test_name}] = \
false; $test_form = true;
$test_size = true;

// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
---[cut]---

// A properly uploaded file will pass this test. There should be no reason to \
override this one. if (! @ is_uploaded_file( $file['tmp_name'] ) )
        return $upload_error_handler( $file, __( 'Specified file failed upload test.' \
));

// A correct MIME type will pass this test. Override $mimes or use the upload_mimes \
filter. if ( $test_type ) {
        $wp_filetype = wp_check_filetype( $file['name'], $mimes );

        extract( $wp_filetype );

        if ( ( !$type || !$ext ) && !current_user_can( 'unfiltered_upload' ) )
                return $upload_error_handler( $file,
                           __( 'File type does not meet security guidelines. Try another.' ));

        if ( !$ext )
                $ext = ltrim(strrchr($file['name'], '.'), '.');

        if ( !$type )
                $type = $file['type'];
} else {
        $type = '';
}

// A writable uploads dir will pass this test. Again, there's no point overriding \
this one. if ( ! ( ( $uploads = wp_upload_dir($time) ) && false === $uploads['error'] \
) )  return $upload_error_handler( $file, $uploads['error'] );

$filename = wp_unique_filename( $uploads['path'], $file['name'], \
$unique_filename_callback );

// Move the file to the uploads dir
$new_file = $uploads['path'] . "/$filename";
if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
        return $upload_error_handler( $file,
           sprintf( __('The uploaded file could not be moved to %s.' ), $uploads['path'] ) \
); }
---[cut ]---

从上面代码可见所提供的文件名由$wp_filetype = wp_check_filetype( $file['name'], $mimes );执行检查。以下是wp_check_filetype()函数：

wp-includes/functions.php:

---[cut]---
line 2228:

function wp_check_filetype( $filename, $mimes = null ) {
        // Accepted MIME types are set here as PCRE unless provided.
        $mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( 'upload_mimes', \
array(  'jpg|jpeg|jpe' => 'image/jpeg',
                'gif' => 'image/gif',
                'png' => 'image/png',
                'bmp' => 'image/bmp',
                'tif|tiff' => 'image/tiff',
                'ico' => 'image/x-icon',
                'asf|asx|wax|wmv|wmx' => 'video/asf',
                'avi' => 'video/avi',
               
                ---[cut, more mime types]---
line 2279:

        $type = false;
        $ext = false;

        foreach ( $mimes as $ext_preg => $mime_match ) {
                $ext_preg = '!\.(' . $ext_preg . ')$!i';
                if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
                        $type = $mime_match;
                        $ext = $ext_matches[1];
                        break;
                }
        }

        return compact( 'ext', 'type' );
}

文件的类型被设置为匹配所提供扩展名的预定义MIME类型，扩展名是从匹配最后一个句号后mime ext.字符串的正则表达式获得的。如果$type列表中没有扩展名，$ext就会被设置为FALSE，wordpress会生成以下出错消息：“File type does not meet security guidelines. Try another”。

以下函数在文件上传之前对文件名执行了其他一些检查：

$filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback );

wp-includes/functions.php:

line 2096:
function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) {
        // sanitize the file name before we begin processing
        $filename = sanitize_file_name($filename);

        ---[cut, code that only matters if uploaded file already exists]---

line 2126:
        return $filename;
}

如果要完全了解wordpress所执行的文件过滤，还要了解sanitize_file_name()函数：

wp-includes/formatting.php:

line 601:
function sanitize_file_name( $filename ) {
        $filename_raw = $filename;
        $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", \
",", "'", "\"",   "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", \
                chr(0));
        $special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw);  $filename = str_replace($special_chars, '', $filename);
        $filename = preg_replace('/[\s-]+/', '-', $filename);
        $filename = trim($filename, '.-_');
        return apply_filters('sanitize_file_name', $filename, $filename_raw);
}

过滤过程没有考虑到带有多个扩展名的文件，用户可以上传带有.php.jpg扩展名的任意PHP脚本，并通过直接请求上传的文件来执行恶意脚本。