Directory traversal is a HTTP attack that allows an attacker to access restricted files, directories, and commands that reside outside the web server’s root directory.
WordPress versions from 3.0 to 4.8.1 are vulnerable to path traversal or directory traversal when extracting zip files.
This vulnerability occurs during unzip operations in the ZipArchive and PclZip components, allowing attackers to overwrite arbitrary files.
The unzip_file function takes ‘$to’, as an argument which is the target directory into which the files in the zip should be extracted. If a maliciously crafted zip file is extracted with a filename starting with dot dot slash (../) then the file will be extracted into the parent of the ‘$to’ argument’s target directory.
An attacker can place a file in any directory to which the web-server has write permission with a specially crafted filename as mentioned below:
E.g. A zip entry with a filename of ../../../../../../../../../../tmp/file would place the file contents in the ‘/tmp/file’ directory of the web-server.
Both PHP’s built-in ZipArchive (/wp-admin/includes/file.php:_unzip_file_ziparchive) and the 3rd party PclZip (/wp-admin/includes/file.php:_unzip_file_pclzip) extraction methods are vulnerable to directory traversal when unzipping. Both these functions fail to check whether the target path is within the ‘$to’ target directory.
An attacker may exploit this vulnerability to upload malicious files to any location where the web server has write permission. An attacker can upload reverse shells, configuration files or even add SSH access if the web server has security misconfigurations.
Ultimately, the attacker may access confidential information or even compromise the entire server.
In order to prevent a directory traversal attack, it is recommended to update WordPress to version 4.8.2 or the latest available version.