[Plugin: Visual Form Builder] File upload vulnerability?

  • Resolved Tom Auger

    (@tomauger)


    12 years, 1 month ago

    Sorry, what a pain, right? I notice that you’re not changing the uploaded file’s filename at all, and are just storing it in the uploads folder. Doesn’t this open up a massive vulnerability, since you’re letting anonymous users upload a file, possibly spoofed, and then immediately access that file, now on the server, in an easily guessable location?

    What if the uploaded file were a webshell?

    Okay, you enforce a file extension check, but I don’t know if that’s a 100% guarantee against an executable upload.

    Please note the relatively recent vulnerability that struck MMForms, and is the reason that plugin is now blacklisted on many sites.

    My recommendation is to hash the filename, or at least create a new folder for each upload with an unguessable, unique hash. That way an anonymous user can’t just upload a file and then access it immediately without any verification / validation at all. hackers notwithstanding, imagine someone (ab)using the upload form to upload questionable material and then immediately guessing and posting a link to that material to a file sharing site? Suddenly your plugin’s admin is unwittingly hosting a shared file without even knowing it!

    Something to consider. You may want to simply remove the file upload field for now until you have that issue addressed.

    https://www.ads-software.com/extend/plugins/visual-form-builder/

Viewing 5 replies - 1 through 5 (of 5 total)

  • No guessing required; the URL is contained within the email that the user gets a copy of.
    It’s really not ideal for the files to be stored in the uploads folder.

    Thread Starter Tom Auger

    (@tomauger)

    Even scarier. I haven’t checked to see whether the upload form uses nonces or not, but if not, there could be a real hole here.

    Plugin Author Matthew Muro

    (@mmuro)

    Please note the relatively recent vulnerability that struck MMForms

    My code is not even remotely close to how they uploaded files.

    Even scarier. I haven’t checked to see whether the upload form uses nonces or not, but if not, there could be a real hole here.

    Maybe you should look before spreading FUD.

    It’s really not ideal for the files to be stored in the uploads folder.

    You are welcome to change this. Here’s a tutorial on how to customize the upload directory.

    Thanks for the tutorial – I have made this change and it works, I can now upload to a different directory.

    Thread Starter Tom Auger

    (@tomauger)

    Hey Matt, I’m sorry if my comments appeared to be defamatory. I can tell from your responses that you’re upset. That was not my intention.

    I don’t know what FUD is, but I guess it’s not a nice acronym. At any rate, I accept that I haven’t checked too deeply into your code, but then again, you could have just explained how your code is structured to prevent security issues.

    Not trying to bust your chops. Just looking at ways to improve your already great plugin.

    Be well,

    Tom

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘[Plugin: Visual Form Builder] File upload vulnerability?’ is closed to new replies.