Wordpress Learnpress Plugin <= 4.1.4.1 - Arbitrary Image Renaming

2 minute read

LearnPress is a WordPress complete solution for creating a Learning Management System (LMS). It can help you to create courses, lessons and quizzes.

A user of this LMS can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a “POST” request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request, the name of the user-supplied image is changed with a MD5 value. This process can be conducted only when type of the image is JPG or PNG.

An attacker can use this vulnerability in order to rename an arbitrary image file. By doing this, he/she can destroy the design of the web site. Some examples of the malicious actions:

  • Destroying of banner of a web site
  • Destroying of user avatars
  • Destroying of post images
  • Destroying of button/app images etc.

Code Analysis

File: inc/user/lp-user-functions.php

 1function learn_press_update_user_profile_avatar() {
 2
 3    // ...
 4    // ... Deleted lines for validating user
 5    // ...
 6
 7	$upload_dir = learn_press_user_profile_picture_upload_dir();
 8
 9    // lp-user-avatar-custom param value should be "yes" to pass this condition
10    if ( learn_press_get_request( 'lp-user-avatar-custom' ) != 'yes' ) {
11		delete_user_meta( get_current_user_id(), '_lp_profile_picture' );
12		return false;
13	}
14
15    // Getting user-supplied data from lp-user-avatar-crop POST parameter
16	$data = learn_press_get_request( 'lp-user-avatar-crop' );
17
18    // Attention! $path variable is assigned to a value structured with user-supplied file name.
19    if ( ! $data || ! ( $path = $upload_dir['basedir'] . $data['name'] ) && file_exists( $path ) ) {
20		return false;
21	}
22
23    // ...
24    // ... Deleted lines for getting file type
25    // ...
26
27	if ( 'jpg' == $filetype['ext'] ) {
28		$im = imagecreatefromjpeg( $path );
29	} elseif ( 'png' == $filetype['ext'] ) {
30		$im = imagecreatefrompng( $path );
31	}
32
33    // Attention! Only jpg and png files can pass through this if condition
34	if ( ! isset( $im ) ) {
35		return false;
36	}
37
38    // ...
39    // ... Deleted lines for image cropping process and creating a new cropped image
40    // ...
41
42    // Big attention! Delete the user-supplied file.
43	@unlink( $path );
44
45	return $new_avatar;
46}
comments powered by Disqus