| Title: Unauthenticated remote .jpg file upload in contus-video-comments v1.0 wordpress plugin |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2016-06-15 |
| CVE-ID:[CVE-2016-1000112] |
| CWE: CWE-22 Path Traversal |
| Download Site: https://wordpress.org/plugins/contus-video-comments/ |
| Vendor: https://profiles.wordpress.org/hdflvplayer/ |
| Vendor Notified: 2016-06-15 |
| Vendor Contact: |
| Advisory: |
| Description: Video comments integrated with the standard comment system of wordpress. |
| Vulnerability: The following code allows any user to upload .jpg files to the WordPress installation. It also allows path traversal with ../.
<?php
//This project is done by vamapaull: http://blog.vamapaull.com/
//The php code is done with some help from Mihai Bojin: http://www.mihaibojin.com/
if(isset($GLOBALS["HTTP_RAW_POST_DATA"])){
$jpg = $GLOBALS["HTTP_RAW_POST_DATA"];
$filename = "images/". $_GET["id"]. ".jpg";
file_put_contents($filename, $jpg);
} else{
echo "Encoded JPEG information not received.";
}
?> |
| Export: JSON TEXT XML |
Exploit Code:
|
| Screen Shots: |
| Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory