Arbitrary File Read

Introduction

This article covers cases of possible Arbitrary File Read on WordPress. This includes improper file fetch handling inside of the plugin/theme which can be used to read arbitrary local files inside of the server.

Learn how to secure your code against Arbitrary File Read

Useful Functions

Several functions could be useful to identify a possible Arbitrary File Read vulnerability:

• PHP related

  • file_get_contents
  • readfile
  • fopen
  • fread
  • fgets
  • fgetcsv
  • fgetss deprecated from PHP 7.3
  • file
  • cURL

• WordPress related

  • WP_Filesystem_Direct::get_contents
  • WP_Filesystem_Direct::get_contents_array

Example Cases

Below is an example of vulnerable code:

add_action("wp_ajax_get_file", "ajax_get_file");

public function ajax_get_file(){
    global $wp_filesystem;

    // Make sure that the above variable is properly setup.
    require_once ABSPATH . 'wp-admin/includes/file.php';
    WP_Filesystem();

    $url = $_GET["url"];
    $data = $wp_filesystem->get_contents($url);
    $data = json_encode( $data );
    echo $data;
    die();
}

To exploit this, any authenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint specifying the needed parameter to trigger the WP_Filesystem_Direct::get_contents function.

curl '<WORDPRESS_BASE_URL/wp-admin/admin-ajax.php?action=get_file&url=/etc/passwd' -H 'Cookie: <AUTHENTICATED_USER_COOKIE>'

Below are some of the findings related to Arbitrary File Read:

• Critical Vulnerabilities Patched in WordPress Automatic Plugin