WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload

2016-06-27T00:00:00
ID EDB-ID:40012
Type exploitdb
Reporter i0akiN SEC-LABORATORY
Modified 2016-06-27T00:00:00

Description

WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload. Webapps exploit for php platform

                                        
                                            # Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)
# Date: 2016-06-23
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Version: 3.8.6
# Tested on: windows 7 + Mozilla firefox. 
# Demo: https://youtu.be/FSRZlD3SVQc

====================
 DESCRIPTION
====================

An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below.
The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote 
attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.

===================
 STEPS TO REPRODUCE
===================

1.- Go to "Custom fields" tab and add a new custom field with "type" file.
2.- Go to "Products" tab, Now you can see a new field with that you added previously.
3.- Select your php shell and save the product.
4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy.

================
 Vulnerable code
================
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions.

function UPCP_Handle_File_Upload($Field_Name) {
	..		
	if (!is_user_logged_in()) {exit();}
		/* Make sure that the file exists */ 	 	
		elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') {
			$error = __('No file was uploaded here..', 'UPCP');
		}
		/* Move the file and store the URL to pass it onwards*/ 	 	
		else {				 
		 	  $msg .= $_FILES[$Field_Name]['name'];
			//for security reason, we force to remove all uploaded file
			$target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/';
			//create the uploads directory if it doesn't exist
			if (!file_exists($target_path)) {
				  mkdir($target_path, 0777, true);
			}
			$target_path = $target_path . basename( $_FILES[$Field_Name]['name']); 
			if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) {
				//if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
	 			  $error .= "There was an error uploading the file, please try again!";
			}
	...
}

?>

==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
	joaquin.ramirez.mtz.lab[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


==========
time-line
==========

2015-08-08: vulnerability found
2016-06-21: Reported to vendor (No response)
2016-06-24: Public disclousure
===================================