WordPress File Upload Security – A Comprehensive Study

This article makes an overall detailed presentation of WordPress File Upload security measures and capabilities.

WordPress is by far the most popular CMS platform. Millions of websites, personal and professional, are built on it. Due to its popularity it is an often target to hackers, so administrators need to be careful and take precautions for protecting their WordPress website.

Upload forms may impose significant security risks for a website because if they are not designed carefully they can be used by hackers to upload malicious files and take control of it or cause overflow and crashing. Threats related to file uploads are Arbitrary/Unrestricted File Uploads, Web Shells, XSS and CSRF attacks, Spam/Bot Uploads and Distributed Denial-Of-Service (DDOS) attacks. They are explained in detail in the following paragraphs.

Arbitrary/Unrestricted File Upload vulnerability is the ability to upload any type of file through an upload form into a website. This is a very high security risk, because a hacker can upload script/executable files (like .php, .exe etc.), which can then execute remotely and perform various actions, such as explore the file structure, retrieve sensitive data or even cause damage to the website. There are several ways to prevent arbitrary file uploads. The most simple is to perform file extension or MIME type checks of the uploaded files and allow only specific extensions (extension white list). However, on some occasions extension check is not enough because hackers use double extensions (like filename.php.jpg) or include executable code inside “safe” files, like in .svg or .jpeg images. So additional measures need to be taken, such as checks for double extensions or ultimately analysis of the contents of the uploaded files to reveal its actual type or detect hidden code.

A Web Shell is a context through which a hacker can execute arbitrary commands on a website. It is like using a Terminal for Linux web servers or Command Prompt for Windows. To install and operate a Web Shell, a hacker needs first to upload some script/executable files into the website through Arbitrary/Unrestricted File Upload. It is then easy to send remote commands through suitable GET or POST requests. So, prohibiting the upload of script/executable files will prevent this type of unauthorized external control of the website.

However, there are also other ways to execute commands, using Cross-Site Scripting (XSS) attacks. In a common XSS attack a hacker calls a normal HTTP GET request in which some arbitrary code has been included as a parameter, e.g. http://www.mysite.com/?search=<script%20type='text/javascript'>alert(1);</script>. If the website has not taken precautions against this kind of attacks and the code is actually executed, then the hacker can exploit it to pass even more complex commands and retrieve sensitive information (like cookies) or execute server-side commands. Hidden arbitrary code can also be passed through upload form parameters, or even through the filename of the uploaded file. A measure against this kind of attacks is to perform sanitization of parameters when receiving and serving HTTP requests and reject suspicious requests.

There are occasions where a hacker can make a normal user perform undesired actions while being logged in a website, without the later noticing. These are called Cross-Site Request Forgery (CSRF) attacks. So, it is actually the user who makes the attack on behalf of the hacker and this is why CSRF attacks cannot be used for stealing data, but for changing something in a website. So a hacker can force a logged user to run HTTP requests that cause deletion of files, change of passwords etc. These requests will be accepted by the website because they are called by a legitimate user. An upload plugin which delivers upload requests and it also provides a back-end interface for administrators / logged users to perform additional actions (view, delete, edit, download operations etc.) is also susceptible to CSRF attacks. A countermeasure against CSRF attacks is to make use of GET requests, which are the most prone to such attacks, only for receiving data and not for changing something (e.g. deletion of files). Another measure is the replacement of actual HTTP request parameters by tokens that have a very short life and can be used only once. In this case, even if the hacker tries to reproduce an HTTP request to perform some actions, the request will be rejected because the token will have already been expired.

Another type of threat is Spam/Bot Uploads. A script (robot) performs repetitive and automated uploads using the upload form, so garbage/useless files accumulate to the website, consuming web server resources and also network traffic. A countermeasure to robot uploads is the use of captcha mechanisms to verify whether the uploader is a human or a robot. On some occasions robots are smart enough to solve the captcha automatically, so the more sophisticated the captcha the better protection against robots.

Finally another dangerous threat is Distributed Denial-Of-Service (DDOS) attacks. A hacker uses the upload form to perform thousands of uploads of small files, or uploads of huge files. Its purpose is to consume web server resources like free space, memory or computing power, causing unpredictable behavior. In the most “safe”scenario the web server will just stop functioning until normal operation and resources are restored, however there are occasions where the underlying database or file system will crash causing loss of data. A countermeasure against DDOS attacks is to employ captchas so that automated uploads cannot be performed. Another countermeasure is to monitor the frequency of file uploads and take actions (like rejection of uploads) if they exceed a predefined limit.

So after presenting all the possible threats related to file uploads, it is time to describe how WordPress File Upload plugin copes with them.

After 3 years of continuous development, exhaustive tests in real environments by demanding users and frequent consultation by security experts, WordPress File Upload ensures that it is a very safe upload plugin that does not impose additional security risks when installed in a WordPress website.

Here is how the plugin protects against each aforementioned threat:

• Arbitrary/Unrestricted File Uploads. Iptanus performed a very thorough analysis of thousands of existing file extensions and ended up to a list of 2504 extensions which are considered as dangerous (black-list), as well as a list of 134 common extensions which are considered as allowable (white-list). The plugin will never allow upload of files belonging to the black-list. The algorithm will also detect and check double extensions. The plugin gives also the option to administrators to define a list of allowable extensions through uploadpatterns attribute of the upload shortcode. Definition of a short list of allowable extensions is strongly recommended. However in case that such a list is not defined or it is too generic then the plugin will also use its own default white-list to allow only specific file types. Furthermore, check of contents is performed to image files to detect if they really are images or they are fake. These measures will efficiently minimize the risk of allowing dangerous files to be uploaded.
• Web Shells. As mentioned above, Web Shells require script/executable files to be uploaded by hackers to a website using Arbitrary/Unrestricted File Upload. So, if the later is effectively prevented, then they cannot be exploited. However, it is likely that hackers include code in files which have legitimate extensions and which pass the above filters. These files remain safe as long as their extension is legitimate. However if the hacker manages to change their extension by renaming them, then they become dangerous. Though the plugin enables administrators to rename files, it does not allow to change their extension. So, even if a hacker manages to upload dangerous content hidden in legitimate files, use of it for creating Web Shells will not be possible.
• XSS attacks. All HTTP requests handled by the plugin are first checked for suspicious behavior on multiple levels before executed. The plugin handler expects specific parameters for every request and specific caller. If the caller (the user who initiated the request) is not the expected one or parameters are missing then the request is rejected. All parameters are strictly sanitized, based on their type. If any parameter value is not valid after sanitization the request is rejected. Furthermore in most cases WordPress nonces (tokens) are used to verify the referrer and the validity of the request. Consequently it is very unlikely that a hacker will manage to pass code through HTTP requests handled by the plugin.
• CSRF attacks. WordPress File Upload plugin has a very extensive back-end interface from where an administrator can perform many tasks, such as change settings, browser / edit / delete / download files, view upload history, perform maintenance tasks etc. Each of these operations are served through HTTP GET and POST requests. All requests that involve some change (e.g. change of settings, edit / delete / rename / download of a file) obscure their parameters using unique tokens. For instance an HTTP request for deleting a file does not include the file path or file ID in the parameters of the request. It is replaced by a unique token which has a short life and can be used only once. So, if a hacker wants to delete a specific file he cannot because he is not aware of the token. Even if he tries to re-execute a deletion request, he will fail because the token will have been expired. Furthermore, the plugin will never expose sensitive data (such as settings, URLs, filenames) in the HTTP request URL or the response. Any sensitive data will be replaced by tokens.
• Spam/Bot Uploads. To prevent automated robot uploads the administrator has the option to add a captcha to the upload form. The plugin employs Google Recaptcha, which is one of the safest available. It supports both the old and new version of Google Recaptcha though the new one is both easier and safer.
• DDOS attacks. Apart from captcha option, the plugin has an additional countermeasure against DDOS attacks. It continuously monitors the frequency of uploads. If a large number of files gets uploaded within a small time frame then this is considered as a DDOS attack. The plugin will reject any further uploads and the administrator will be notified by email. Instead of uploading thousands of small files, an attacker may attempt to upload few files of very large size, in order to occupy all free space and cause crash of the file system. The plugin will again prevent such attacks because it contains a file size filter. Files larger than a specified limit, defined by maxsize attribute will be rejected before they are uploaded.

So it is obvious that the plugin has considered and has taken precautions against all possible threats related to file uploads. This ensures that WordPress File Upload provides a high level of security, even for demanding situations. Of course, fight against crime and hackers never stops. As hackers discover new ways to penetrate to systems, plugin creators need to be quick and keep their plugins up-to-date. Iptanus issues WordPress File Upload updates regularly, incorporating any new developments related to security. Furthermore, it issues urgent updates whenever a security weakness is detected or a severe bug.

For more information about security features of WordPress File Upload plugin you can contact Iptanus.