Title: Remote file upload vulnerability in wp-front-end-repository v1.1 Wordpress plugin [Previously Discovered] |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-07-12 |
[CVE-none] |
Download Site: https://wordpress.org/plugins/wp-front-end-repository |
Vendor: |
Vendor Notified: 2015-07-11 |
Vendor Contact: |
Advisory: |
Description: Members can upload and download files, create directories up to unlimited level. |
Vulnerability: Lines 26-41 do not do any checking of any sort allowing arbitrary users to upload malicious executable scripts.
26 if (!empty($_FILES)) {
27 $tempFile = $_FILES['Filedata']['tmp_name'];
28 $targetPath = $_REQUEST['folder'];
29 $targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
.
.
.
40 move_uploaded_file($tempFile,$targetFile);
41 echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |