lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201201232029.q0NKTxRR005047@sf01web3.securityfocus.com>
Date: Mon, 23 Jan 2012 20:29:59 GMT
From: n0b0d13s@...il.com
To: bugtraq@...urityfocus.com
Subject: Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php)
 Unrestricted File Upload Vulnerability

--------------------------------------------------------------------------------
Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload
--------------------------------------------------------------------------------

author............: Egidio Romano aka EgiX
mail..............: n0b0d13s[at]gmail[dot]com
software link.....: http://kishpress.com/guest-posting-plugin/
 
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only.    |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+

[-] vulnerable code in /uploadify/scripts/uploadify.php

26.    if (!empty($_FILES)) {
27.        $tempFile = $_FILES['Filedata']['tmp_name'];
28.        $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
29.        $targetFile =  str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
30.        // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
31.        // $fileTypes  = str_replace(';','|',$fileTypes);
32.        // $typesArray = split('\|',$fileTypes);
33.        // $fileParts  = pathinfo($_FILES['Filedata']['name']);
34.        
35.        // if (in_array($fileParts['extension'],$typesArray)) {
36.            // Uncomment the following line if you want to make the directory if it doesn't exist
37.            // mkdir(str_replace('//','/',$targetPath), 0755, true);
38.            
39.            move_uploaded_file($tempFile,$targetFile);
40.            echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
41.        // } else {
42.        //     echo 'Invalid file type.';
43.        // }
44.    }

Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.

[-] Disclosure timeline:

[19/12/2011] - Vulnerability discovered
[19/12/2011] - Vendor notified through http://kish.in/contact-me/
[07/01/2012] - No response from vendor, notified again via email
[16/01/2012] - After four weeks still no response
[23/01/2012] - Public disclosure

[-] Proof of concept:

http://www.exploit-db.com/exploits/18412/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ