Re: CVE-request: Kish Guest Posting Plugin for WordPress File Upload Remote PHP Code Execution

[Henri Salo <henri () nerv fi>]

On Tue, Mar 06, 2012 at 12:39:15PM -0700, Kurt Seifried wrote:
> On 03/06/2012 12:31 AM, Henri Salo wrote:
> > Can we assign CVE-identifier for this security vulnerability, thanks.
> >
> > http://osvdb.org/show/osvdb/78479
> > http://www.securityfocus.com/bid/51638
> > http://secunia.com/advisories/47688/
> > http://www.exploit-db.com/exploits/18412/
> >
> > Plugin is disabled in WordPress (doesn't show up in http://wordpress.org/extend/plugins/), but SVN can be found 
> > from here: http://plugins.svn.wordpress.org/kish-guest-posting/trunk/
> >
> > File http://plugins.svn.wordpress.org/kish-guest-posting/trunk/readme.txt says:
> >
> > """
> > = 1.2 =
> > security update for Uploadify Script
> > """
> >
> > But I haven't tested (yet) if that is valid fix for the vulnerability.
> >
> > - Henri Salo
>
> Please use CVE-2012-1125 for this issue.
>
> -- 
> Kurt Seifried Red Hat Security Response Team (SRT)

For curious people this is from SVN trunk:

------------------------------------------------------------------------
r403694 | kiaso | 2011-07-02 13:40:59 +0300 (Sat, 02 Jul 2011) | 1 line

Uploadify.php security issue fixed
------------------------------------------------------------------------
r403689 | kiaso | 2011-07-02 13:24:03 +0300 (Sat, 02 Jul 2011) | 1 line

Uploadify.php security issue fixed
------------------------------------------------------------------------

Index: uploadify/scripts/uploadify.php
===================================================================
--- uploadify/scripts/uploadify.php     (revision 403689)
+++ uploadify/scripts/uploadify.php     (revision 403694)
@@ -1,3 +1,4 @@
+<<<<<<< .mine
 <?php
 /*
 Uploadify v2.1.4
@@ -27,6 +28,7 @@
        $tempFile = $_FILES['Filedata']['tmp_name'];
        $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
        $targetFile =  str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
+
        // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
        // $fileTypes  = str_replace(';','|',$fileTypes);
        // $typesArray = split('\|',$fileTypes);
@@ -35,11 +37,76 @@
        // if (in_array($fileParts['extension'],$typesArray)) {
                // Uncomment the following line if you want to make the directory if it doesn't exist
                // mkdir(str_replace('//','/',$targetPath), 0755, true);
+       // Define allowed extensions
+       $allowable = array ( 'png', 'gif', 'jpg', 'jpeg' );
+       $fileext = strtolower(substr( $_FILES['Filedata']['name'], -3 ));
+
+       // Assume evil upload
+       $noMatch = 0;
+
+       // Give it a try with this tiny extensionckeck
+       foreach( $allowable as $ext ) {
+               if ( strcasecmp( $fileext, $ext ) == 0 ) {
+                       $noMatch = 1;
+               }
+       }
+       if(!$noMatch){ // People are bad. I told you...
+               echo "This file is not allowed...";
+               exit();
+       }
+       else {
+               move_uploaded_file($tempFile,$targetFile);
+               echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
+       }

+
+       // } else {
+       //      echo 'Invalid file type.';
+       // }
+}
+?>=======

In my opinion this is not a proper fix for this security vulnerability as this doesn't detect the filetype. This code 
only assumes file is valid if filename suffix matches item from allowable array. I do not know how to contact developer 
of this plugin. I could even provide a working patch for this vulnerability.

- Henri Salo