Cleaning Up CherryFramework’s Malware Installer

July 16, 2015

Recently, an old client contacted me because emails were not being sent from their Godaddy hosted wordpress site. A quick look at the folders in their webroot made it clear that the site had been hacked and most likely the emails not working was a side-effect of godaddy noticing and blocking their email function.

After a bit of investigation, it looked like the most likely avenue was from the CherryFramework, which is a bootstrap wordpress theme/plugin framework. A bit more digging and I discovered a recently patched vulnerability in cherry-plugin/admin/import-export/upload.php

The entire contents of the vulnerable file is below:

<?php
	if(strtolower($_SERVER['REQUEST_METHOD']) != 'post'){
		exit_status('Error! Wrong HTTP method!');
	}
	if(array_key_exists('file',$_FILES)){
		$upload_dir = isset($_REQUEST['upload_dir']) ? $_REQUEST['upload_dir'] : $upload_dir ;
		$file_name =basename($_FILES['file']['name']);
		$upload_file = $upload_dir.$file_name;
		$result = move_uploaded_file($_FILES['file']['tmp_name'], $upload_file);
	}
	exit;
?>

As you can see from the above, which is the first version uploaded to git, the ONLY checking this file does is whether or not you are sending it some files to upload and telling it where to send it. So, it conveniently lets you upload any file to any directory on the webserver. Similarly, their download-content.php file also let you download arbitrary files from the webserver, with 0 checks in place to prevent abuse. You can see a screenshot of the github repository here.

This was fixed in later versions of CherryFramework and shows that the developer better understands wordpress now, as they not only implement a nonce and checks the logged in user’s capabilities by calling current_user_can, but also adds the code to an ajax action rather than just a malware installer like it was before.

Without casting too many stones, as no-one is perfect least of all me, I just can’t understand how something like this could get written, if not intentionally(which is entirely possible.)

Everyone makes mistakes and it is easy to miss something that can be abused…mistakes happen, get fixed, and we move on. But, something like that or SQL queries written with 0 thought to injection blow my mind.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s