Title: Unrestricted File Upload vulnerability in Wordpress Plugin Mobile App Native 3.0 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-02-27 |
CVE-ID:[CVE-2017-6104] |
CWE: |
Download Site: https://wordpress.org/plugins/zen-mobile-app-native/ |
Vendor: https://profiles.wordpress.org/zendkmobileapp/ |
Vendor Notified: 2017-02-27 |
Vendor Contact: |
Advisory: http://www.vapidlabs.com/advisory.php?v=178 |
Description: Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder. |
Vulnerability: The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content.
It also doesn't sanitize the file upload against executable code.
<?php
//header('content-type: text/html; charset=iso-8859-2');
header('Content-Type: text/html; charset=utf-8');
header('Access-Control-Allow-Origin: *');
require_once('function.php');
if ($_FILES['file']['name']) {
if (!$_FILES['file']['error']) {
$name = md5(rand(100, 200));
$ext = explode('.', $_FILES['file']['name']);
$filename = $name . '.' . $ext[1];
$destination = 'images/' . $filename;
$location = $_FILES["file"]["tmp_name"];
move_uploaded_file($location, $destination);
echo $plugin_url.'/server/images/' . $filename;
}
else {
echo $message = 'Ooops! Your upload triggered the following error: '.$_FILES['file']['error'];
}
} |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory