Document Title: =============== Wordpress Levo-Slideshow 2.3 - Arbitrary File Upload Vulnerability References (Source): ==================== http://ift.tt/1Yck1C5 Release Date: ============= 2016-06-07 Vulnerability Laboratory ID (VL-ID): ==================================== 1854 Common Vulnerability Scoring System: ==================================== 7.5 Product & Service Introduction: =============================== Make sure you have a Levo slideshow a very effective technique to display unlimited number of product images within a single box and just takes only few minutes to accomplish without getting too much into coding. No WP slider plugin has become as wide-spread and as popular recently as this particular free WP Levo slider, offering a marvelous method for displaying a lot of content in such a minimal space, and to mention also a great way to highlight your best and most popular product images or articles in an enhanced way. And on top off all that, this indispensable, yet smooth and free WP slider plugin is incorporated with amazing set of features including a colossal space set aside to main flash image, a miniature sized image, image reflection option, description box with title, navigation arrows, auto-play/pause button, auto play timer into your WP powered websites or blogs. (Copy of the Homepage: http://ift.tt/1TTzRfK ) Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered a arbitrary file upload vulnerability in the Wordpress Levo-Slideshow v2.3 plugin. Vulnerability Disclosure Timeline: ================================== 2016-06-07: Public Disclosure (Aaditya Purani) Discovery Status: ================= Published Affected Product(s): ==================== Go Responsive (Themes) Product: Levo-Slideshow - Wordpress Plugin (Web-Application) 2.3 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ An arbitrary file upload web vulnerability has been discovered in the official Levo-Slideshow v2.3 wordpress plugin web-application. The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on application-side of the service. The vulnerability is located in the "admin.php" file when processing to upload via the admin.php file own malicious context or webshells. After the upload the remote attackers are able to access the file with one extension and exchange it with the another one to execute for example php codes. The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.5. Exploitation of the arbitrary file upload vulnerability requires no user interaction and an unprivileged application user account. Successful exploitation of the vulnerability results in unauthorized file access via arbitrary file upload exploitation. Vulnerable Application(s): [+] Wordpress Levo-Slideshow v2.3 Vulnerable Module(s): [+] /wordpress/wp-admin/ Vulnerable File(s): [+] admin.php Affected Module(s): [+] /uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/ Proof of Concept (PoC): ======================= The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction and with an uprivileged application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login as an unprivileged user, which has no privilege of even uploading a plugin 2. Go to http://ift.tt/1X8Maui 3. If any Gallery exists than don't create and go to "Category Management" 4. Click on "Add New", Upload any .png / ,jpg image from your PC and intercept the request 5. After Intercepting the request while upload, Send request to Repeater 6. Change filename = image.png.php and in $POST image data add your PHP Backdoor between image chunk . It should look like this http://ift.tt/1TTzstM 7. Forward the request and go to http://ift.tt/1X8MtVW] to access your shell 8. Successful reproduce of the vulnerability! PoC: Exploitation $GET: http://ift.tt/1TTzfa2
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment