Title: Remote file upload vulnerability in fast-image-adder v1.1 Wordpress plugin |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-07-10 |
[CVE-2015-1000001] |
Download Site: https://wordpress.org/plugins/fast-image-adder |
Vendor: |
Vendor Notified: 2015-07-10 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=139http://www.vapidlabs.com/advisory.php?v=139 |
Description: Add images to your blog posts from a URL in a flash. Skip the download/upload steps and the slow WordPress dialog box. |
Vulnerability: The fast-image-adder-uploader.php file doesn't check if a user is authorized to upload files: It creates a random file name, but reports the name back to the user.
60 $upload_dir = wp_upload_dir();
61 $path = $upload_dir['path'];
62 $new_filename = $suggested_name_filesystem . "_" . random_filename() . substr($url,strrpos($url,"."));
63
64
65 // If we are not in test mode, get the file and resize it
66 if ($test_mode === FALSE)
67 {
68 $image_data = file_get_contents($url);
69 file_put_contents($path . "/" . $new_filename,$image_data);
70 resize($path . "/" . $new_filename, $new_height, $new_width, $val_maxwidth, $path . "/" . $new_filename);
71 }
72
73 $new_url = $upload_dir['url'] . "/" . $new_filename;
.
.
83 if ($test_mode === FALSE)
84 {
85 echo "Uploaded as " . $new_url;
86 }
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: [fastupload.png] |
Notes: |