Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#46742 closed defect (bug) (wontfix)

Path Disclosure issue via Media Uploader

Reported by: chitran's profile chitran Owned by:
Milestone: Priority: normal
Severity: minor Version: 5.1
Component: Media Keywords: 2nd-opinion
Focuses: Cc:

Description

The issue occurs when an user tries to upload a picture via Browser Uploader feature /wp-admin/media-new.php?browser-uploader with modified PNG file that contains ASCII characters

Proof of Concepts (Step to reproduce):
1 - Login as an author
2 - Add new media using browser uploader
3 - Modify a PNG file and input some ASCII characters such as: <script></script>
4 - Click browse and choose that file to upload
5 - After clicking Upload, an error will show up containing Full Path of current website.

Warning: exif_imagetype(): PNG file corrupted by ASCII conversion in /var/www/html/wp-includes/functions.php on line 2672
Sorry, this file type is not permitted for security reasons.

Note that this error will be triggered even PHP display_errors = Off

Attachments (1)

Uploader.PNG (10.2 KB) - added by chitran 6 years ago.

Download all attachments as: .zip

Change History (5)

@chitran
6 years ago

#1 @joemcgill
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

I can't reproduce this error so I suspect that this is a server misconfiguration or the result of having debug constants set in your wp-config.php file or by some other plugin.

See the Security FAQ:

Why are there path disclosures when directly loading certain files?
This is a server configuration problem. Never enable display_errors on a production site.

Additionally, when you created this ticket:

Do not report potential security vulnerabilities here. See the Security FAQ and contact security@….

#2 @chitran
6 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

I believe that this is not a server misconfiguration since I have tested on several servers as well as shared hosting. Also, debug value in wp_config.php is not turned on. PHP display_errors = Off as well. The issue occurs only when we try to upload modified PNG.

#3 @joemcgill
6 years ago

  • Keywords 2nd-opinion added

@chitran I've also tested on several environments with display_errors turned off using a PNG file modified exactly as you have described. I can get the warning to display by either ensuring that PHP display_errors is true/on or if I set both WP_DEBUG and WP_DEBUG_DISPLAY to true (note that the latter is true by default).

I'll wait for a second opinion, but this seems like a configuration issue where any warning will display and is not something that we specifically guard against.

I'll also reiterate that if you think you found a security issue, you should report it as outlined in the Security FAQ and not here.

#4 @chitran
6 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

I do agree that this is not really a security issue and I have never mentioned about the term “security”. I also agree that this is something related to configuration because of the process of corrupted PNG file. It maybe better to get fixed sometime in future releases. Let’s close this as wontfix if you want.

Very respectfully.

Note: See TracTickets for help on using tickets.