The Infinite Uploads Big File Uploads plugin is a popular WordPress plugin designed to increase the maximum file upload size in your website, allowing users to upload large files without taking up server space. Unfortunately, a recent security audit has discovered a Cross-Site Request Forgery (CSRF) vulnerability in versions <= 2.1.1 of the plugin. This vulnerability could potentially be exploited by a malicious user to perform unauthorized actions on the affected websites.
In this post, we will delve deeper into the technical aspects of the vulnerability, including the exploit details and the code involved. We will also provide information on how to mitigate this vulnerability in your website if you are using the affected plugin versions.
Exploit Details
The vulnerability is a result of insufficient CSRF protection in the plugin's settings update functionality. Essentially, an attacker can craft a malicious website or embed malicious code in a site that will cause the plugin's settings to be altered without the targeted user's consent when visited. This can lead to changed file upload settings and can potentially cause security risks or site disruptions.
The following code snippet demonstrates how the CSRF vulnerability could be exploited using a simple HTML form:
<!DOCTYPE html>
<html>
<body>
<h1>Malicious Form</h1>
<form action="http://target-site.com/wp-admin/admin-post.php"; method="POST">
<input type="hidden" name="action" value="iu_bfu_update_max_file_size" />
<input type="hidden" name="iu_bfu_max_file_size" value="99999999" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
In this example, the form submission triggers a POST request to the target website's admin-post.php file, invoking the 'iu_bfu_update_max_file_size' action. The 'iu_bfu_max_file_size' parameter is set to an abnormally large value, effectively bypassing any site size restrictions.
Original References
The vulnerability was initially reported by the security researcher who discovered the issue. They have published their findings, including details about the vulnerability and proof-of-concept (PoC) code, on their website at the following link:
- Infinite Uploads CSRF Vulnerability Details
The plugin developers have also acknowledged the vulnerability and have released a patch to address the issue:
- Infinite Uploads Changelog
To protect your website from this vulnerability, you should follow these steps
1. Update the Infinite Uploads Big File Uploads plugin to the latest version (2.1.2 or newer), which includes the patch for the CSRF vulnerability. You can check and update your plugin versions through your WordPress admin dashboard.
2. Review and adjust the maximum file upload size settings in the plugin to ensure they align with your desired configurations.
3. Educate your website administrators and users about potential phishing attacks and instruct them not to click on any suspicious links or visit untrusted websites.
Conclusion
In summary, the Cross-Site Request Forgery (CSRF) vulnerability in versions <= 2.1.1 of the Infinite Uploads Big File Uploads plugin poses a serious security risk to WordPress websites. By updating to the latest plugin version and following the mitigation steps outlined in this post, you can protect your website from potential exploits and maintain the security of your users and website data.
Timeline
Published on: 11/22/2023 19:15:00 UTC
Last modified on: 11/29/2023 02:29:00 UTC