Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload Vulnerability

2012-02-13T00:00:00
ID SECURITYVULNS:DOC:27663
Type securityvulns
Reporter Securityvulns
Modified 2012-02-13T00:00:00

Description


Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload

author............: Egidio Romano aka EgiX mail..............: n0b0d13s[at]gmail[dot]com software link.....: http://kishpress.com/guest-posting-plugin/

+-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+

[-] vulnerable code in /uploadify/scripts/uploadify.php

  1. if (!empty($_FILES)) {
  2. $tempFile = $_FILES['Filedata']['tmp_name'];
  3. $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
  4. $targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
  5. // $fileTypes = str_replace('*.','',$_REQUEST['fileext']);
  6. // $fileTypes = str_replace(';','|',$fileTypes);
  7. // $typesArray = split('\|',$fileTypes);
  8. // $fileParts = pathinfo($_FILES['Filedata']['name']);
  9. // if (in_array($fileParts['extension'],$typesArray)) {
  10. // Uncomment the following line if you want to make the directory if it doesn't exist
  11. // mkdir(str_replace('//','/',$targetPath), 0755, true);
  12. move_uploaded_file($tempFile,$targetFile);
  13. echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
  14. // } else {
  15. // echo 'Invalid file type.';
  16. // }
  17. }

Restricted access to this script isn't properly realized, so an attacker might be able to upload arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.

[-] Disclosure timeline:

[19/12/2011] - Vulnerability discovered [19/12/2011] - Vendor notified through http://kish.in/contact-me/ [07/01/2012] - No response from vendor, notified again via email [16/01/2012] - After four weeks still no response [23/01/2012] - Public disclosure

[-] Proof of concept:

http://www.exploit-db.com/exploits/18412/