Gravity Upload Ajax 1.1, Arbitrary File Upload
Arbitrary file upload in Gravity Upload Ajax 1.1 allows remote unauthenticated user to upload files of any type. Provides the ability to upload a PHP shell.
Homepage
https://wordpress.org/plugins/gravity-file-ajax-upload-free/installation/
CVSS Score
9
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:C)
Attack Scope
remote
Authorization Required
None
Mitigation
Filter file types prior to accepting an upload. Place .htaccess file in gravity_forms directory that prevents PHP/script execution under it.
Proof of Concept
upload.html phpinfo.php upload.html opened in web browser – phpinfo.php selected as the target file. Form submitted. Following response is received. {“file”:[{“name”:”phpinfo.php”,”size”:18,”type”:”application/octet-stream”,”url”:”http://www.wordpress.local/wp-content/uploads/gravity_forms/b48844f8aa8ab3d80d28be52fa51ccd9/2014/07/phpinfo.php”,”deleteUrl”:”http://www.wordpress.local/wp-content/?fil=phpinfo.php”,”deleteType”:”DELETE”}]} phpinfo.php is now publiclly availble from the URL http://www.wordpress.local/wp-content/uploads/gravity_forms/b48844f8aa8ab3d80d28be52fa51ccd9/2014/07/phpinfo.php
Timeline
- 2014-07-18: Discovered
- 2014-07-18: Reported to WP.org
- 2014-07-18: CVE ID Assigned
- 2014-08-01: Advisory released