[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 8 Mar 2012 09:39:00 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com, plugins@...dpress.org
Subject: Re: CVE-request: Kish Guest Posting Plugin for
WordPress File Upload Remote PHP Code Execution
On Tue, Mar 06, 2012 at 12:39:15PM -0700, Kurt Seifried wrote:
> On 03/06/2012 12:31 AM, Henri Salo wrote:
> > Can we assign CVE-identifier for this security vulnerability, thanks.
> >
> > http://osvdb.org/show/osvdb/78479
> > http://www.securityfocus.com/bid/51638
> > http://secunia.com/advisories/47688/
> > http://www.exploit-db.com/exploits/18412/
> >
> > Plugin is disabled in WordPress (doesn't show up in http://wordpress.org/extend/plugins/), but SVN can be found from here: http://plugins.svn.wordpress.org/kish-guest-posting/trunk/
> >
> > File http://plugins.svn.wordpress.org/kish-guest-posting/trunk/readme.txt says:
> >
> > """
> > = 1.2 =
> > security update for Uploadify Script
> > """
> >
> > But I haven't tested (yet) if that is valid fix for the vulnerability.
> >
> > - Henri Salo
>
> Please use CVE-2012-1125 for this issue.
>
> --
> Kurt Seifried Red Hat Security Response Team (SRT)
For curious people this is from SVN trunk:
------------------------------------------------------------------------
r403694 | kiaso | 2011-07-02 13:40:59 +0300 (Sat, 02 Jul 2011) | 1 line
Uploadify.php security issue fixed
------------------------------------------------------------------------
r403689 | kiaso | 2011-07-02 13:24:03 +0300 (Sat, 02 Jul 2011) | 1 line
Uploadify.php security issue fixed
------------------------------------------------------------------------
Index: uploadify/scripts/uploadify.php
===================================================================
--- uploadify/scripts/uploadify.php (revision 403689)
+++ uploadify/scripts/uploadify.php (revision 403694)
@@ -1,3 +1,4 @@
+<<<<<<< .mine
<?php
/*
Uploadify v2.1.4
@@ -27,6 +28,7 @@
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
+
// $fileTypes = str_replace('*.','',$_REQUEST['fileext']);
// $fileTypes = str_replace(';','|',$fileTypes);
// $typesArray = split('\|',$fileTypes);
@@ -35,11 +37,76 @@
// if (in_array($fileParts['extension'],$typesArray)) {
// Uncomment the following line if you want to make the directory if it doesn't exist
// mkdir(str_replace('//','/',$targetPath), 0755, true);
+ // Define allowed extensions
+ $allowable = array ( 'png', 'gif', 'jpg', 'jpeg' );
+ $fileext = strtolower(substr( $_FILES['Filedata']['name'], -3 ));
+
+ // Assume evil upload
+ $noMatch = 0;
+
+ // Give it a try with this tiny extensionckeck
+ foreach( $allowable as $ext ) {
+ if ( strcasecmp( $fileext, $ext ) == 0 ) {
+ $noMatch = 1;
+ }
+ }
+ if(!$noMatch){ // People are bad. I told you...
+ echo "This file is not allowed...";
+ exit();
+ }
+ else {
+ move_uploaded_file($tempFile,$targetFile);
+ echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
+ }
+
+ // } else {
+ // echo 'Invalid file type.';
+ // }
+}
+?>=======
In my opinion this is not a proper fix for this security vulnerability as this doesn't detect the filetype. This code only assumes file is valid if filename suffix matches item from allowable array. I do not know how to contact developer of this plugin. I could even provide a working patch for this vulnerability.
- Henri Salo
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
