Fixing arbitrary file upload in Form Block 1.5.6
Published: – Leave a comment Last update:
Due to a missing file type check, it was possible to upload files of any type in Form Block, just by telling the server that it is a different type. This has been fixed in Form Block 1.5.6, updating is highly recommended.
The issue
The general issue with this kind of security problem is that (in case of Form Block) any user can upload e.g. a PHP file while telling the server it is, for instance, a JPG file. Thus, it’s treated like a JPG file and if the user further gets the possibility to execute the so uploaded PHP file, it can practically lead to a remote code execution – that means that the user could execute any code on the server.
I want to clarify that this is not possible in Form Block or Form Block Pro. Since the files are not further processed and just send via e-mail to the administrator in Form Block, the data is not accessible for a remote code execution attack. For Form Block Pro users, if the local upload is enabled, the uploaded files are indeed stored on the server, but explicitly in a binary file, which makes it impossible to execute them directly. It would require another security issue to use this as attack vector.
The solution
With Form Block 1.5.6, any uploaded file is now properly checked against the given content type, which means that a PHP file cannot be uploaded anymore by default, as it is not allowed to be uploaded in WordPress altogether. Other supported file types are checked whether the actual uploaded file matches the file type it claims to be.
In another article, I will clarify why the problem occurred in the first place and how I solved it.
Thanks to Phat RiO for identifying and reporting the issue and to Patchstack for providing the mVDP program to ensure a proper process until fixing it.
Reposts