oss-sec mailing list archives
Re: CVE-request: Kish Guest Posting Plugin for WordPress File Upload Remote PHP Code Execution
From: Henri Salo <henri () nerv fi>
Date: Thu, 8 Mar 2012 09:39:00 +0200
On Tue, Mar 06, 2012 at 12:39:15PM -0700, Kurt Seifried wrote:
On 03/06/2012 12:31 AM, Henri Salo wrote:Can we assign CVE-identifier for this security vulnerability, thanks. http://osvdb.org/show/osvdb/78479 http://www.securityfocus.com/bid/51638 http://secunia.com/advisories/47688/ http://www.exploit-db.com/exploits/18412/ Plugin is disabled in WordPress (doesn't show up in http://wordpress.org/extend/plugins/), but SVN can be found from here: http://plugins.svn.wordpress.org/kish-guest-posting/trunk/ File http://plugins.svn.wordpress.org/kish-guest-posting/trunk/readme.txt says: """ = 1.2 = security update for Uploadify Script """ But I haven't tested (yet) if that is valid fix for the vulnerability. - Henri SaloPlease use CVE-2012-1125 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
For curious people this is from SVN trunk: ------------------------------------------------------------------------ r403694 | kiaso | 2011-07-02 13:40:59 +0300 (Sat, 02 Jul 2011) | 1 line Uploadify.php security issue fixed ------------------------------------------------------------------------ r403689 | kiaso | 2011-07-02 13:24:03 +0300 (Sat, 02 Jul 2011) | 1 line Uploadify.php security issue fixed ------------------------------------------------------------------------ Index: uploadify/scripts/uploadify.php =================================================================== --- uploadify/scripts/uploadify.php (revision 403689) +++ uploadify/scripts/uploadify.php (revision 403694) @@ -1,3 +1,4 @@ +<<<<<<< .mine <?php /* Uploadify v2.1.4 @@ -27,6 +28,7 @@ $tempFile = $_FILES['Filedata']['tmp_name']; $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/'; $targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name']; + // $fileTypes = str_replace('*.','',$_REQUEST['fileext']); // $fileTypes = str_replace(';','|',$fileTypes); // $typesArray = split('\|',$fileTypes); @@ -35,11 +37,76 @@ // if (in_array($fileParts['extension'],$typesArray)) { // Uncomment the following line if you want to make the directory if it doesn't exist // mkdir(str_replace('//','/',$targetPath), 0755, true); + // Define allowed extensions + $allowable = array ( 'png', 'gif', 'jpg', 'jpeg' ); + $fileext = strtolower(substr( $_FILES['Filedata']['name'], -3 )); + + // Assume evil upload + $noMatch = 0; + + // Give it a try with this tiny extensionckeck + foreach( $allowable as $ext ) { + if ( strcasecmp( $fileext, $ext ) == 0 ) { + $noMatch = 1; + } + } + if(!$noMatch){ // People are bad. I told you... + echo "This file is not allowed..."; + exit(); + } + else { + move_uploaded_file($tempFile,$targetFile); + echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile); + } + + // } else { + // echo 'Invalid file type.'; + // } +} +?>======= In my opinion this is not a proper fix for this security vulnerability as this doesn't detect the filetype. This code only assumes file is valid if filename suffix matches item from allowable array. I do not know how to contact developer of this plugin. I could even provide a working patch for this vulnerability. - Henri Salo
Current thread:
- CVE-request: Kish Guest Posting Plugin for WordPress File Upload Remote PHP Code Execution Henri Salo (Mar 05)
- Re: CVE-request: Kish Guest Posting Plugin for WordPress File Upload Remote PHP Code Execution Kurt Seifried (Mar 06)
- Re: CVE-request: Kish Guest Posting Plugin for WordPress File Upload Remote PHP Code Execution Henri Salo (Mar 07)
- Re: CVE-request: Kish Guest Posting Plugin for WordPress File Upload Remote PHP Code Execution Kurt Seifried (Mar 06)