Title: Mailcwp remote file upload vulnerability incomplete fix v1.100 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-11-01 |
CVE-ID:[CVE-2016-1000156] |
CWE: |
Download Site: https://wordpress.org/plugins/mailcwp/ |
Vendor: CadreWorks Pty Ltd |
Vendor Notified: 2016-11-01 |
Vendor Contact: plugins@wordpress.org |
Advisory: www.vapidlabs.com/advisory.php?v=175 |
Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website. |
Vulnerability: I noticed CVE-2015-1000000 wasn't fixed correctly, _any_ authenticated user can upload a file to the WordPress installation, they can get .php code execution by changing the extension to .php[3-5], .pht or .phtml.
My previous advisory:
http://www.vapidlabs.com/advisory.php?v=138
require_once "../../../wp-load.php";
if (!is_user_logged_in()) {
die('{"ERROR": -1}');
}
$message_id = $_REQUEST["message_id"];
$upload_dir = $_REQUEST["upload_dir"];
if (empty($_FILES) || $_FILES["file"]["error"]) {
die('{"OK": 0}');
}
$fileName = $_FILES["file"]["name"];
$ext = pathinfo($fileName, PATHINFO_EXTENSION);
if ($ext == 'php') {
die('{"ERROR": -2}');
}
move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName");
die('{"OK": 1}'); |
Export: JSON TEXT XML |
Exploit Code: |
Screen Shots: |
Notes: Incomplete fix for CVE-2015-1000000 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory