Title: Unauthenticated remote .jpg file upload in contus-video-comments v1.0 wordpress plugin |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-06-15 |
CVE-ID:[CVE-2016-1000112] |
CWE: CWE-22 Path Traversal |
Download Site: https://wordpress.org/plugins/contus-video-comments/ |
Vendor: https://profiles.wordpress.org/hdflvplayer/ |
Vendor Notified: 2016-06-15 |
Vendor Contact: |
Advisory: |
Description: Video comments integrated with the standard comment system of wordpress. |
Vulnerability: The following code allows any user to upload .jpg files to the WordPress installation. It also allows path traversal with ../.
<?php
//This project is done by vamapaull: http://blog.vamapaull.com/
//The php code is done with some help from Mihai Bojin: http://www.mihaibojin.com/
if(isset($GLOBALS["HTTP_RAW_POST_DATA"])){
$jpg = $GLOBALS["HTTP_RAW_POST_DATA"];
$filename = "images/". $_GET["id"]. ".jpg";
file_put_contents($filename, $jpg);
} else{
echo "Encoded JPEG information not received.";
}
?> |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory