Title: Arbitrary file upload vulnerability in Wordpress plugin flickr-picture-backup v0.7 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-04-26 |
CVE-ID:[CVE-2017-1002016] |
CWE: |
Download Site: https://wordpress.org/plugins/flickr-picture-backup/ |
Vendor: http://daozhao.goflytoday.com/ |
Vendor Notified: 2017-04-26 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=190 |
Description: Backup flickr’s picture which in page/post External links to flickr’s picture. |
Vulnerability: The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files. It also doesn't check what type of file is being uploaded.
define('WP_ADMIN', TRUE);
require_once('../../../wp-load.php');
require_once(ABSPATH . 'wp-admin/includes/admin.php');
//require_once("./flickr-picture-backup.php");
//echo "flickr-picture-download.php";
if($_GET["url"])
{
$url = $_GET["url"];
$fl = wp_daozhao_download_flickr_picture($url);
if ( is_wp_error($fl) )
{
echo "FALSE:" . $fl->get_error_message();
}
else
{
wp_daozhao_flickr_backupfile_exists($url,$returl);
echo "OK:" . $returl ;
}
//echo wp_daozhao_flickr_backup_urlpath();
//echo "OK";
}
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory