For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
This issue was successfully tested on WordPress 4.5.3.
WordPress Media Upload functionality is used to upload image, audio, video and other allowed file extensions. The uploaded media types are automatically available to public users via so called public 'Attachment Pages'.
WordPress performs insufficient validation on the file name of uploaded media types and in specific images. The file name of an image is used as image Title (meta) in so called ‘attachment pages’ (HTML). An attacker can exploit this vulnerability by crafting an image file name with Cross-Site Scripting payload and lure an admin into uploading the image with the malicious file name.
Please note that the WordPress admin (victim) needs to use an operating system like for example Mac or Linux. These provide extended file name capabilities necessary for an attacker to be able to successfully use this vulnerability.
For the attack to succeed the following conditions have to be met:
- A WordPress admin uploads a malicious image file requested by a user this admin trusts or a popular malicious image that was spread via social media. This involves social engineering. In the Proof of Concept the file name cengizhansahinsumofpwn<img src=a onerror=alert(document.cookie)>.jpg was used.
- An attacker can now determine if the file name with which the malicious file is available on the WordPress site. With this information he can spread the URL to end users and the WordPress admin.
When an image with a file name such as cengizhansahinsumofpwn<img src=a onerror=alert(document.cookie)>.jpg is uploaded and viewed within WordPress the script code is executed:
The file name is always equal to the attachment page: