SecurityvulnsSECURITYVULNS:DOC:27663Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload Vulnerability
Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload
author…: Egidio Romano aka EgiX
mail…: n0b0d13s[at]gmail[dot]com
software link…: http://kishpress.com/guest-posting-plugin/
±------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
±------------------------------------------------------------------------+
[-] vulnerable code in /uploadify/scripts/uploadify.php
- if (!empty($_FILES)) {
-
$tempFile = $_FILES['Filedata']['tmp_name']; -
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/'; -
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name']; -
// $fileTypes = str_replace('*.','',$_REQUEST['fileext']); -
// $fileTypes = str_replace(';','|',$fileTypes); -
// $typesArray = split('\|',$fileTypes); -
// $fileParts = pathinfo($_FILES['Filedata']['name']); -
// if (in_array($fileParts['extension'],$typesArray)) { -
// Uncomment the following line if you want to make the directory if it doesn't exist -
// mkdir(str_replace('//','/',$targetPath), 0755, true); -
move_uploaded_file($tempFile,$targetFile); -
echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile); -
// } else { -
// echo 'Invalid file type.'; -
// } - }
Restricted access to this script isn't properly realized, so an attacker might be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
[-] Disclosure timeline:
[19/12/2011] - Vulnerability discovered
[19/12/2011] - Vendor notified through http://kish.in/contact-me/
[07/01/2012] - No response from vendor, notified again via email
[16/01/2012] - After four weeks still no response
[23/01/2012] - Public disclosure
[-] Proof of concept: